W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: HTML Imports and CSP

From: Mike West <mkwst@google.com>
Date: Wed, 1 Apr 2015 07:28:18 +0200
Message-ID: <CAKXHy=eGKpQ4y3+BETLGrnszmcqyV6rASqXmT0Ys7C2biMoAkw@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Justin Fagnani <justinfagnani@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Apr 1, 2015 at 3:30 AM, Devdatta Akhawe <dev.akhawe@gmail.com>

> > No. Script inlined in the import if the import is whitelisted via
> > `script-src`. Basically, `script-src` says "It's ok to load script from
> over
> > here." The fact that that script is contained in an imported HTML
> document
> > rather than in a script resource doesn't seem terribly relevant, does it?
> just the inline <script> tag, or are inline event listeners in the
> import also allowed ?

Sure, why not? I'm not a huge fan of inline event handlers, but I don't
think that allowing them (and inline script) in Imports actually increases
the risk a developer exposes herself to. Do you think that's an incorrect

> > In theory, a new directive is totally reasonable. Practically, I worry
> that
> > folks who are currently protected from bad imports via `script-src` would
> > cease to be protected if they had to define `import-src` or something
> > similar.
> well, you already need to set object-src to be safe too. I also worry
> about this argument because that means every new "dangerous" construct
> will tie to script-src :(

There's a difference between supporting a new feature which isn't currently
covered by any directive, and changing the meaning of a directive that
already covers a featue.

Migrating workers to `child-src` didn't go amazingly smoothly, for
instance; we've done it, and we're not going back on it, but I'm not sure
I'd do it again.


Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 1 April 2015 05:29:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:48 UTC