- From: Mike West <mkwst@google.com>
- Date: Wed, 1 Apr 2015 07:28:18 +0200
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: Justin Fagnani <justinfagnani@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=eGKpQ4y3+BETLGrnszmcqyV6rASqXmT0Ys7C2biMoAkw@mail.gmail.com>
On Wed, Apr 1, 2015 at 3:30 AM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: > > No. Script inlined in the import if the import is whitelisted via > > `script-src`. Basically, `script-src` says "It's ok to load script from > over > > here." The fact that that script is contained in an imported HTML > document > > rather than in a script resource doesn't seem terribly relevant, does it? > > just the inline <script> tag, or are inline event listeners in the > import also allowed ? > Sure, why not? I'm not a huge fan of inline event handlers, but I don't think that allowing them (and inline script) in Imports actually increases the risk a developer exposes herself to. Do you think that's an incorrect analysis? > > > In theory, a new directive is totally reasonable. Practically, I worry > that > > folks who are currently protected from bad imports via `script-src` would > > cease to be protected if they had to define `import-src` or something > > similar. > > well, you already need to set object-src to be safe too. I also worry > about this argument because that means every new "dangerous" construct > will tie to script-src :( > There's a difference between supporting a new feature which isn't currently covered by any directive, and changing the meaning of a directive that already covers a featue. Migrating workers to `child-src` didn't go amazingly smoothly, for instance; we've done it, and we're not going back on it, but I'm not sure I'd do it again. -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 1 April 2015 05:29:07 UTC