On Tue, Apr 7, 2015 at 7:04 PM, Jeffrey Yasskin <jyasskin@google.com> wrote:
>
> Further, they should put a CSP on the HTML Imports themselves, right?
>
Yes! Absolutely. Dimitri was asking for the minimum, but I should have set
that bar higher.
> Otherwise the Import can pull scripts from bad places and be XSS'ed
> itself. If the HTML Import contains inline script blocks, they'll also
> need to enable those, probably with hashes since unsafe-inline enables
> too much. Has anyone written a build step for grunt/gulp/etc that
> generates hashes for a static file? What needs to be done to serve
> those hashes from most CDNs?
Yes, in a reasonable world of reasonable people, folks who write Imports
will create reasonable policies for those imports.
Again, outside the realm of this WG, this means that Chrome's extension
system is going to need a way of specifying policy for individual files.
-mike
--
Mike West <mkwst@google.com>, @mikewest
Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)