W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: HTML Imports and CSP

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Tue, 31 Mar 2015 18:30:43 -0700
Message-ID: <CAPfop_16KN4Y3wk2NEwJKG2Kys4iMT-cAPJ7_DMRudvZuvZRaw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Justin Fagnani <justinfagnani@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> No. Script inlined in the import if the import is whitelisted via
> `script-src`. Basically, `script-src` says "It's ok to load script from over
> here." The fact that that script is contained in an imported HTML document
> rather than in a script resource doesn't seem terribly relevant, does it?

just the inline <script> tag, or are inline event listeners in the
import also allowed ?

> In theory, a new directive is totally reasonable. Practically, I worry that
> folks who are currently protected from bad imports via `script-src` would
> cease to be protected if they had to define `import-src` or something
> similar.

well, you already need to set object-src to be safe too. I also worry
about this argument because that means every new "dangerous" construct
will tie to script-src :(

Received on Wednesday, 1 April 2015 01:31:31 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC