Re: HTML Imports and CSP from Devdatta Akhawe on 2015-04-07 (public-webappsec@w3.org from April 2015)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Tue, 7 Apr 2015 05:53:01 -0700
To: Mike West <mkwst@google.com>
Cc: Justin Fagnani <justinfagnani@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAPfop_1aK50XnoptaW-JRVGAnWTL0WSY_QBffEz4Qjd7w-Tcuw@mail.gmail.com>

that sounds great! thanks!

On 7 April 2015 at 04:39, Mike West <mkwst@google.com> wrote:
> After thinking about this a bit more over the holidays, I think I'm more in
> agreement with you than I thought, Dev. :)
>
> What do you think about this:
>
> 1. Move imports to `import-src` (we'll need to measure usage in Chrome, but
> assuming this is mostly an extension thing at this point, it should be
> doable).
>
> 2. Give imports their own policy (that is, no longer inherit from the
> containing document) like Workers and frames, which would enable them to
> either whitelist `unsafe-inline` themselves, or use nonces/hashes whatever.
>
> -mike
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany,
> Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft:
> Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
> On Sat, Apr 4, 2015 at 6:23 AM, Devdatta Akhawe <dev.akhawe@gmail.com>
> wrote:
>>
>> > You're not wrong there; inline event handlers are bad and they should
>> > feel
>> > bad.
>> >
>> > That said, is the risk really different in kind from just allowing plain
>> > old
>> > inline script that executes directly? It doesn't seem to be. Allowing
>> > one
>> > without allowing the other seems capricious.
>>
>> I think Brad put the concern really well, but even for code written by
>> developers I know---I would rather trust their ability to sanitize a
>> string inside a JS variable than inside a script tag than "inside JS,
>> inside an event handler, in response to a DOM event". And I would
>> trust a review of the former more than a review of the latter.
>>
>> > What's your ideal solution?
>>
>> I tend to agree with Crispin on code data separation. Anything that
>> mixes the two should have the word unsafe in it.
>>
>> If not that, then just inline scripts will make me less sad. Allowing
>> inline scripts and event handlers just because the import is allowed
>> in script-src is definitely something I would strongly oppose.
>>
>> -Dev
>
>

Received on Tuesday, 7 April 2015 12:53:53 UTC