- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Wed, 1 Apr 2015 21:32:36 -0700
- To: Mike West <mkwst@google.com>
- Cc: Justin Fagnani <justinfagnani@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> Sure, why not? I'm not a huge fan of inline event handlers, but I don't > think that allowing them (and inline script) in Imports actually increases > the risk a developer exposes herself to. Do you think that's an incorrect > analysis? There is a huge difference in risk of XSS in inline event handlers and inline scripts. Different types of contexts, nested contexts etc all are issues. *cough* I think Joel wrote a paper about this :D > There's a difference between supporting a new feature which isn't currently > covered by any directive, and changing the meaning of a directive that > already covers a featue. Again, because of the DOMXSS risk (even just injecting a new inline script tag without nonce), I think not using a new directive messes up the security invariants for any CSP adopters. --dev > Migrating workers to `child-src` didn't go amazingly smoothly, for instance; > we've done it, and we're not going back on it, but I'm not sure I'd do it > again. > > -mike > > -- > Mike West <mkwst@google.com>, @mikewest > > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, > Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: > Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 2 April 2015 04:33:24 UTC