Re: HTML Imports and CSP

> No. Script inlined in the import if the import is whitelisted via
> `script-src`. Basically, `script-src` says "It's ok to load script from over
> here." The fact that that script is contained in an imported HTML document
> rather than in a script resource doesn't seem terribly relevant, does it?

just the inline <script> tag, or are inline event listeners in the
import also allowed ?

> In theory, a new directive is totally reasonable. Practically, I worry that
> folks who are currently protected from bad imports via `script-src` would
> cease to be protected if they had to define `import-src` or something
> similar.

well, you already need to set object-src to be safe too. I also worry
about this argument because that means every new "dangerous" construct
will tie to script-src :(

--dev

Received on Wednesday, 1 April 2015 01:31:31 UTC