Re: HTML Imports and CSP from Brad Hill on 2015-04-03 (public-webappsec@w3.org from April 2015)

From: Brad Hill <hillbrad@gmail.com>
Date: Fri, 03 Apr 2015 17:40:46 +0000
To: Mike West <mkwst@google.com>, Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Justin Fagnani <justinfagnani@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAEeYn8hD1Pnoi6RMQ-1=Cko0AMDuya=xV-WK-qQ8n3N--a+zgQ@mail.gmail.com>

>
>> just the inline <script> tag, or are inline event listeners in the
>> import also allowed ?
>>
>
> Sure, why not? I'm not a huge fan of inline event handlers, but I don't
> think that allowing them (and inline script) in Imports actually increases
> the risk a developer exposes herself to. Do you think that's an incorrect
> analysis?
>
> I don't think its incorrect, but I think it complicates other use cases.
 e.g. if I'm serving HTML+JS ads authored by a 3rd party, part of what I'd
like to get out of forbidding inline with CSP is that I know that all
script content must be packaged in a distinct file that is much easier to
analyze as such than HTML with inline event handlers, etc.

-Brad

Received on Friday, 3 April 2015 17:41:14 UTC