W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: webappsec-ISSUE-51: How to handle externally defined <element> with <link rel=import>

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 27 Apr 2013 07:07:39 -0700
Message-ID: <CAJE5ia9NXLpnJ9xRFWbKcAaZLA=kReCcOgmRSR2ryaMBCK=o_A@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Web Application Security Working Group <public-webappsec@w3.org>, Dimitri Glazkov <dglazkov@chromium.org>
On Thu, Apr 25, 2013 at 4:16 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Thu, Apr 25, 2013 at 10:49 PM, Web Application Security Working
> Group Issue Tracker <sysbot+tracker@w3.org> wrote:
>> Create a new directive, e.g. import-src for allowing custom elements to be imported from an external source?
>
> Last I checked this can do the same as script, so you probably want to
> restrict via the same mechanism.

Yeah, we'll probably need to restrict <link rel=import> with
script-src so that it's not an XSS vector for existing web sites that
use CSP.

Adam
Received on Saturday, 27 April 2013 14:16:08 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC