W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: CSP when external script loads another external script?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Fri, 19 Apr 2013 11:21:15 +0100
Message-ID: <CADnb78j_V322WJuEXCd6wc-E7LEkL4JGqOdqJNo3KkezGg8trQ@mail.gmail.com>
To: James Marshall <james@jmarshall.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, Apr 18, 2013 at 7:10 PM, James Marshall <james@jmarshall.com> wrote:
> Something in the CSP draft is unclear to me-- if an HTML document has an
> external script element that in turn loads another external script (via
> Document.write(),  Node.appendChild(), etc.), is the loading of that second
> script governed by the policy of the first script resource, or by the policy
> of the original HTML document?
> Apologies if I missed something.  All related explanations welcome, as I'm
> new to CSP, and need to get it thoroughly right in my app (physical safety
> is at stake).

The document is in charge of loading all its resources.

Received on Friday, 19 April 2013 10:21:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:32 UTC