W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: HTML Imports and CSP

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Wed, 1 Apr 2015 21:32:36 -0700
Message-ID: <CAPfop_1dk_gFhAjZcmSjaMspnDUMktXGm0BazkwVgte+NWJ=6w@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Justin Fagnani <justinfagnani@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> Sure, why not? I'm not a huge fan of inline event handlers, but I don't
> think that allowing them (and inline script) in Imports actually increases
> the risk a developer exposes herself to. Do you think that's an incorrect
> analysis?

There is a huge difference in risk of XSS in inline event handlers and
inline scripts. Different types of contexts, nested contexts etc all
are issues. *cough* I think Joel wrote a paper about this :D

> There's a difference between supporting a new feature which isn't currently
> covered by any directive, and changing the meaning of a directive that
> already covers a featue.

Again, because of the DOMXSS risk (even just injecting a new inline script tag
without nonce), I think not using a new directive messes up the
security invariants for any CSP adopters.

--dev


> Migrating workers to `child-src` didn't go amazingly smoothly, for instance;
> we've done it, and we're not going back on it, but I'm not sure I'd do it
> again.
>
> -mike
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany,
> Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft:
> Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 2 April 2015 04:33:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC