Great. By the way, the spec is here: https://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/imports/index.html, if you need to link to/peruse it. :DG< On Sat, Apr 27, 2013 at 8:43 AM, Adam Barth <w3c@adambarth.com> wrote: > Done: https://dvcs.w3.org/hg/content-security-policy/rev/5c5a663f67f1 > > On Sat, Apr 27, 2013 at 8:34 AM, Dimitri Glazkov <dglazkov@google.com> > wrote: > > I think that's reasonable. In my mental model, <link rel=import> falls > > roughly into that same bucket as script. > > > > :DG< > > > > > > On Sat, Apr 27, 2013 at 7:07 AM, Adam Barth <w3c@adambarth.com> wrote: > >> > >> On Thu, Apr 25, 2013 at 4:16 PM, Anne van Kesteren <annevk@annevk.nl> > >> wrote: > >> > On Thu, Apr 25, 2013 at 10:49 PM, Web Application Security Working > >> > Group Issue Tracker <sysbot+tracker@w3.org> wrote: > >> >> Create a new directive, e.g. import-src for allowing custom elements > to > >> >> be imported from an external source? > >> > > >> > Last I checked this can do the same as script, so you probably want to > >> > restrict via the same mechanism. > >> > >> Yeah, we'll probably need to restrict <link rel=import> with > >> script-src so that it's not an XSS vector for existing web sites that > >> use CSP. > >> > >> Adam > > > > >
Received on Saturday, 27 April 2013 16:15:16 UTC