- From: Hill, Brad <bhill@paypal-inc.com>
- Date: Sun, 28 Apr 2013 19:54:44 +0000
- To: Dimitri Glazkov <dglazkov@google.com>, Adam Barth <w3c@adambarth.com>
- CC: Anne van Kesteren <annevk@annevk.nl>, "Web Application Security Working Group" <public-webappsec@w3.org>
- Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E279FAD41@DEN-EXDDA-S12.corp.ebay.com>
Thanks, Adam. I think these changes make sense to prevent web components from causing regressions, but I wonder if there isn't still a case for something like a component-src directive as the component packages include not just scripts but styles, etc. and they are likely to be defined in an inline fashion even when loaded from a remote source. -Brad From: Dimitri Glazkov [mailto:dglazkov@google.com] Sent: Saturday, April 27, 2013 9:15 AM To: Adam Barth Cc: Anne van Kesteren; Web Application Security Working Group Subject: Re: webappsec-ISSUE-51: How to handle externally defined <element> with <link rel=import> Great. By the way, the spec is here: https://dvcs.w3.org/hg/webcomponents/raw-file/tip/spec/imports/index.html, if you need to link to/peruse it. :DG< On Sat, Apr 27, 2013 at 8:43 AM, Adam Barth <w3c@adambarth.com<mailto:w3c@adambarth.com>> wrote: Done: https://dvcs.w3.org/hg/content-security-policy/rev/5c5a663f67f1 On Sat, Apr 27, 2013 at 8:34 AM, Dimitri Glazkov <dglazkov@google.com<mailto:dglazkov@google.com>> wrote: > I think that's reasonable. In my mental model, <link rel=import> falls > roughly into that same bucket as script. > > :DG< > > > On Sat, Apr 27, 2013 at 7:07 AM, Adam Barth <w3c@adambarth.com<mailto:w3c@adambarth.com>> wrote: >> >> On Thu, Apr 25, 2013 at 4:16 PM, Anne van Kesteren <annevk@annevk.nl<mailto:annevk@annevk.nl>> >> wrote: >> > On Thu, Apr 25, 2013 at 10:49 PM, Web Application Security Working >> > Group Issue Tracker <sysbot+tracker@w3.org<mailto:sysbot%2Btracker@w3.org>> wrote: >> >> Create a new directive, e.g. import-src for allowing custom elements to >> >> be imported from an external source? >> > >> > Last I checked this can do the same as script, so you probably want to >> > restrict via the same mechanism. >> >> Yeah, we'll probably need to restrict <link rel=import> with >> script-src so that it's not an XSS vector for existing web sites that >> use CSP. >> >> Adam > >
Received on Sunday, 28 April 2013 19:55:16 UTC