W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

Re: Trimming the SecurityPolicy DOM interface

From: Eduardo' Vela <evn@google.com>
Date: Sun, 28 Apr 2013 06:24:18 +0800
Message-ID: <CAFswPa9iOB6EB94fmL3EZsNzdfMGHch6PQLc1dZ2zmPiEDO6Wg@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Alex Russell <slightlyoff@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Mike West <mkwst@google.com>, "www-tag@w3.org List" <www-tag@w3.org>
I have a use case!

For example, Analytics, google.com/jsapi, and Ads as well as similar
scripts need to be able to load other scripts, and unless the parent page
is using script-nonce (and a forgiving img-src/frame-src), it's impossible
to do so.

One could argue that script-nonce is the right way of doing this, but it's
impossible for service providers such as Google to enforce all sites on the
interwebs that wanna use CSP to use script-nonces as they can't be used on
dynamic pages.

What would be nice would be to have an API where you set a starting CSP and
somehow allow scripts to modify it, by either extending it, or subsetting

For example, script-extend https://www.google.com/jsapi could allow the
script loaded from that source to extend the CSP policy.
Received on Saturday, 27 April 2013 22:25:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:32 UTC