W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: webappsec-ISSUE-51: How to handle externally defined <element> with <link rel=import>

From: Dimitri Glazkov <dglazkov@google.com>
Date: Sat, 27 Apr 2013 09:14:48 -0700
Message-ID: <CADh5Ky0GxOtMV_aoE3PNDo=Z0wyv0=KJbWD5nNG=jG7Bj0L9jQ@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Web Application Security Working Group <public-webappsec@w3.org>
Great. By the way, the spec is here:
https://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/imports/index.html,
if you need to link to/peruse it.

:DG<


On Sat, Apr 27, 2013 at 8:43 AM, Adam Barth <w3c@adambarth.com> wrote:

> Done: https://dvcs.w3.org/hg/content-security-policy/rev/5c5a663f67f1
>
> On Sat, Apr 27, 2013 at 8:34 AM, Dimitri Glazkov <dglazkov@google.com>
> wrote:
> > I think that's reasonable. In my mental model, <link rel=import> falls
> > roughly into that same bucket as script.
> >
> > :DG<
> >
> >
> > On Sat, Apr 27, 2013 at 7:07 AM, Adam Barth <w3c@adambarth.com> wrote:
> >>
> >> On Thu, Apr 25, 2013 at 4:16 PM, Anne van Kesteren <annevk@annevk.nl>
> >> wrote:
> >> > On Thu, Apr 25, 2013 at 10:49 PM, Web Application Security Working
> >> > Group Issue Tracker <sysbot+tracker@w3.org> wrote:
> >> >> Create a new directive, e.g. import-src for allowing custom elements
> to
> >> >> be imported from an external source?
> >> >
> >> > Last I checked this can do the same as script, so you probably want to
> >> > restrict via the same mechanism.
> >>
> >> Yeah, we'll probably need to restrict <link rel=import> with
> >> script-src so that it's not an XSS vector for existing web sites that
> >> use CSP.
> >>
> >> Adam
> >
> >
>
Received on Saturday, 27 April 2013 16:15:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC