Re: webappsec-ISSUE-51: How to handle externally defined <element> with <link rel=import> from Dimitri Glazkov on 2013-04-27 (public-webappsec@w3.org from April 2013)

From: Dimitri Glazkov <dglazkov@google.com>
Date: Sat, 27 Apr 2013 08:34:40 -0700
To: Adam Barth <w3c@adambarth.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Web Application Security Working Group <public-webappsec@w3.org>
Message-ID: <CADh5Ky3v1u5HLE+sRcYiO6Z9a9iRuqqcFpDR8dWy4Z-2RkD7NA@mail.gmail.com>

I think that's reasonable. In my mental model, <link rel=import> falls
roughly into that same bucket as script.

:DG<


On Sat, Apr 27, 2013 at 7:07 AM, Adam Barth <w3c@adambarth.com> wrote:

> On Thu, Apr 25, 2013 at 4:16 PM, Anne van Kesteren <annevk@annevk.nl>
> wrote:
> > On Thu, Apr 25, 2013 at 10:49 PM, Web Application Security Working
> > Group Issue Tracker <sysbot+tracker@w3.org> wrote:
> >> Create a new directive, e.g. import-src for allowing custom elements to
> be imported from an external source?
> >
> > Last I checked this can do the same as script, so you probably want to
> > restrict via the same mechanism.
>
> Yeah, we'll probably need to restrict <link rel=import> with
> script-src so that it's not an XSS vector for existing web sites that
> use CSP.
>
> Adam
>

Received on Saturday, 27 April 2013 15:35:09 UTC