HTML Imports vs unsafe-inline

HTML Imports are a great way to import javascript, but the simple way
to use them requires unsafe-inline:
https://code.google.com/p/chromium/codesearch/#chromium/src/third_party/WebKit/Tools/GardeningServer/lib/update-util.html.
It's possible to split each file in two, but that's inconvenient while
editing and costs network requests. It's also possible to write a
build step that generates hashes for each script, but injecting a
build into the edit/debug cycle slows that cycle down.

Is there something the CSP spec could do (either a new token or advice
to authors) that would make these literal scripts easier to use
without opening vulnerabilities?

This is also relevant to Chrome Apps, which force a CSP to protect
their users: https://developer.chrome.com/apps/contentSecurityPolicy.
If there's something halfway to unsafe-inline that would still avoid
the relevant vulnerabilities but would allow use of literal <script>
tags, it'd be nice to let people use Polymer more easily.

Unfortunately, I don't have a concrete suggestion here, partly because
I don't understand the attacks that the inline-script restrictions are
intended to defend against.

Jeffrey

Received on Thursday, 11 September 2014 04:20:28 UTC