On Tue, Apr 7, 2015 at 5:58 AM, Mike West <mkwst@google.com> wrote: > CCing folks who were inadvertently dropped from explicit CC, to widen the > net. > > -mike > > -- > Mike West <mkwst@google.com>, @mikewest > > Google Germany GmbH, Dienerstrasse 12, 80331 München, > Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der > Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth > Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) > > On Tue, Apr 7, 2015 at 1:39 PM, Mike West <mkwst@google.com> wrote: > >> After thinking about this a bit more over the holidays, I think I'm more >> in agreement with you than I thought, Dev. :) >> >> What do you think about this: >> >> 1. Move imports to `import-src` (we'll need to measure usage in Chrome, >> but assuming this is mostly an extension thing at this point, it should be >> doable). >> >> 2. Give imports their own policy (that is, no longer inherit from the >> containing document) like Workers and frames, which would enable them to >> either whitelist `unsafe-inline` themselves, or use nonces/hashes whatever. >> > This seems encouraging. What is the bottom line for developers using CSP? What is the least that they need to do in order to make HTML Imports usable? :DG<Received on Tuesday, 7 April 2015 15:44:01 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:48 UTC