- From: Mike West <mkwst@google.com>
- Date: Tue, 7 Apr 2015 14:58:24 +0200
- To: Devdatta Akhawe <dev.akhawe@gmail.com>, Brad Hill <hillbrad@gmail.com>, Joel Weinberger <jww@google.com>, Justin Schuh <jschuh@google.com>, Dimitri Glazkov <dglazkov@google.com>, nathan@github.com
- Cc: Justin Fagnani <justinfagnani@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=cr4fAFNo8f_tC1oMi+8WG96jSt_apiZP_n8Yb_D7V4=g@mail.gmail.com>
CCing folks who were inadvertently dropped from explicit CC, to widen the net. -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Tue, Apr 7, 2015 at 1:39 PM, Mike West <mkwst@google.com> wrote: > After thinking about this a bit more over the holidays, I think I'm more > in agreement with you than I thought, Dev. :) > > What do you think about this: > > 1. Move imports to `import-src` (we'll need to measure usage in Chrome, > but assuming this is mostly an extension thing at this point, it should be > doable). > > 2. Give imports their own policy (that is, no longer inherit from the > containing document) like Workers and frames, which would enable them to > either whitelist `unsafe-inline` themselves, or use nonces/hashes whatever. > > -mike > > -- > Mike West <mkwst@google.com>, @mikewest > > Google Germany GmbH, Dienerstrasse 12, 80331 München, > Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der > Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth > Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) > > On Sat, Apr 4, 2015 at 6:23 AM, Devdatta Akhawe <dev.akhawe@gmail.com> > wrote: > >> > You're not wrong there; inline event handlers are bad and they should >> feel >> > bad. >> > >> > That said, is the risk really different in kind from just allowing >> plain old >> > inline script that executes directly? It doesn't seem to be. Allowing >> one >> > without allowing the other seems capricious. >> >> I think Brad put the concern really well, but even for code written by >> developers I know---I would rather trust their ability to sanitize a >> string inside a JS variable than inside a script tag than "inside JS, >> inside an event handler, in response to a DOM event". And I would >> trust a review of the former more than a review of the latter. >> >> > What's your ideal solution? >> >> I tend to agree with Crispin on code data separation. Anything that >> mixes the two should have the word unsafe in it. >> >> If not that, then just inline scripts will make me less sad. Allowing >> inline scripts and event handlers just because the import is allowed >> in script-src is definitely something I would strongly oppose. >> >> -Dev >> > >
Received on Tuesday, 7 April 2015 12:59:12 UTC