W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2013

RE: webappsec-ISSUE-51: How to handle externally defined <element> with <link rel=import>

From: Hill, Brad <bhill@paypal-inc.com>
Date: Sun, 28 Apr 2013 19:54:44 +0000
To: Dimitri Glazkov <dglazkov@google.com>, Adam Barth <w3c@adambarth.com>
CC: Anne van Kesteren <annevk@annevk.nl>, "Web Application Security Working Group" <public-webappsec@w3.org>
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E279FAD41@DEN-EXDDA-S12.corp.ebay.com>
Thanks, Adam.

I think these changes make sense to prevent web components from causing regressions, but I wonder if there isn't still a case for something like a component-src directive as the component packages include not just scripts but styles, etc. and they are likely to be defined in an inline fashion even when loaded from a remote source.

-Brad

From: Dimitri Glazkov [mailto:dglazkov@google.com]
Sent: Saturday, April 27, 2013 9:15 AM
To: Adam Barth
Cc: Anne van Kesteren; Web Application Security Working Group
Subject: Re: webappsec-ISSUE-51: How to handle externally defined <element> with <link rel=import>

Great. By the way, the spec is here: https://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/imports/index.html, if you need to link to/peruse it.

:DG<

On Sat, Apr 27, 2013 at 8:43 AM, Adam Barth <w3c@adambarth.com<mailto:w3c@adambarth.com>> wrote:
Done: https://dvcs.w3.org/hg/content-security-policy/rev/5c5a663f67f1

On Sat, Apr 27, 2013 at 8:34 AM, Dimitri Glazkov <dglazkov@google.com<mailto:dglazkov@google.com>> wrote:
> I think that's reasonable. In my mental model, <link rel=import> falls
> roughly into that same bucket as script.
>
> :DG<
>
>
> On Sat, Apr 27, 2013 at 7:07 AM, Adam Barth <w3c@adambarth.com<mailto:w3c@adambarth.com>> wrote:
>>
>> On Thu, Apr 25, 2013 at 4:16 PM, Anne van Kesteren <annevk@annevk.nl<mailto:annevk@annevk.nl>>
>> wrote:
>> > On Thu, Apr 25, 2013 at 10:49 PM, Web Application Security Working
>> > Group Issue Tracker <sysbot+tracker@w3.org<mailto:sysbot%2Btracker@w3.org>> wrote:
>> >> Create a new directive, e.g. import-src for allowing custom elements to
>> >> be imported from an external source?
>> >
>> > Last I checked this can do the same as script, so you probably want to
>> > restrict via the same mechanism.
>>
>> Yeah, we'll probably need to restrict <link rel=import> with
>> script-src so that it's not an XSS vector for existing web sites that
>> use CSP.
>>
>> Adam
>
>
Received on Sunday, 28 April 2013 19:55:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC