- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Tue, 31 Mar 2015 18:30:43 -0700
- To: Mike West <mkwst@google.com>
- Cc: Justin Fagnani <justinfagnani@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> No. Script inlined in the import if the import is whitelisted via > `script-src`. Basically, `script-src` says "It's ok to load script from over > here." The fact that that script is contained in an imported HTML document > rather than in a script resource doesn't seem terribly relevant, does it? just the inline <script> tag, or are inline event listeners in the import also allowed ? > In theory, a new directive is totally reasonable. Practically, I worry that > folks who are currently protected from bad imports via `script-src` would > cease to be protected if they had to define `import-src` or something > similar. well, you already need to set object-src to be safe too. I also worry about this argument because that means every new "dangerous" construct will tie to script-src :( --dev
Received on Wednesday, 1 April 2015 01:31:31 UTC