W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: HTML Imports and CSP

From: Dimitri Glazkov <dglazkov@google.com>
Date: Tue, 7 Apr 2015 08:43:34 -0700
Message-ID: <CADh5Ky2uKY8c8RhVnwexvG0NQUKePcBQ_1CJBNr2aLq6QF-K3w@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Brad Hill <hillbrad@gmail.com>, Joel Weinberger <jww@google.com>, Justin Schuh <jschuh@google.com>, Nathan Sobo <nathan@github.com>, Justin Fagnani <justinfagnani@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Apr 7, 2015 at 5:58 AM, Mike West <mkwst@google.com> wrote:

> CCing folks who were inadvertently dropped from explicit CC, to widen the
> net.
> -mike
> --
> Mike West <mkwst@google.com>, @mikewest
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
> On Tue, Apr 7, 2015 at 1:39 PM, Mike West <mkwst@google.com> wrote:
>> After thinking about this a bit more over the holidays, I think I'm more
>> in agreement with you than I thought, Dev. :)
>> What do you think about this:
>> 1. Move imports to `import-src` (we'll need to measure usage in Chrome,
>> but assuming this is mostly an extension thing at this point, it should be
>> doable).
>> 2. Give imports their own policy (that is, no longer inherit from the
>> containing document) like Workers and frames, which would enable them to
>> either whitelist `unsafe-inline` themselves, or use nonces/hashes whatever.
This seems encouraging. What is the bottom line for developers using CSP?
What is the least that they need to do in order to make HTML Imports usable?

Received on Tuesday, 7 April 2015 15:44:01 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:48 UTC