Re: HTML Imports and CSP

On Wed, Apr 1, 2015 at 3:30 AM, Devdatta Akhawe <dev.akhawe@gmail.com>
wrote:

> > No. Script inlined in the import if the import is whitelisted via
> > `script-src`. Basically, `script-src` says "It's ok to load script from
> over
> > here." The fact that that script is contained in an imported HTML
> document
> > rather than in a script resource doesn't seem terribly relevant, does it?
>
> just the inline <script> tag, or are inline event listeners in the
> import also allowed ?
>

Sure, why not? I'm not a huge fan of inline event handlers, but I don't
think that allowing them (and inline script) in Imports actually increases
the risk a developer exposes herself to. Do you think that's an incorrect
analysis?


>
> > In theory, a new directive is totally reasonable. Practically, I worry
> that
> > folks who are currently protected from bad imports via `script-src` would
> > cease to be protected if they had to define `import-src` or something
> > similar.
>
> well, you already need to set object-src to be safe too. I also worry
> about this argument because that means every new "dangerous" construct
> will tie to script-src :(
>

There's a difference between supporting a new feature which isn't currently
covered by any directive, and changing the meaning of a directive that
already covers a featue.

Migrating workers to `child-src` didn't go amazingly smoothly, for
instance; we've done it, and we're not going back on it, but I'm not sure
I'd do it again.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)