Re: HTML Imports and CSP from Mike West on 2015-04-07 (public-webappsec@w3.org from April 2015)

From: Mike West <mkwst@google.com>
Date: Tue, 7 Apr 2015 19:07:34 +0200
To: Jeffrey Yasskin <jyasskin@google.com>
Cc: Dimitri Glazkov <dglazkov@google.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, Brad Hill <hillbrad@gmail.com>, Joel Weinberger <jww@google.com>, Justin Schuh <jschuh@google.com>, Nathan Sobo <nathan@github.com>, Justin Fagnani <justinfagnani@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=cpLCyL82sW6OfBpOffdSu12CQcJF+5S0feaUyAewrhSw@mail.gmail.com>

On Tue, Apr 7, 2015 at 7:04 PM, Jeffrey Yasskin <jyasskin@google.com> wrote:
>
> Further, they should put a CSP on the HTML Imports themselves, right?
>

Yes! Absolutely. Dimitri was asking for the minimum, but I should have set
that bar higher.

> Otherwise the Import can pull scripts from bad places and be XSS'ed
> itself. If the HTML Import contains inline script blocks, they'll also
> need to enable those, probably with hashes since unsafe-inline enables
> too much. Has anyone written a build step for grunt/gulp/etc that
> generates hashes for a static file? What needs to be done to serve
> those hashes from most CDNs?

Yes, in a reasonable world of reasonable people, folks who write Imports
will create reasonable policies for those imports.

Again, outside the realm of this WG, this means that Chrome's extension
system is going to need a way of specifying policy for individual files.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Tuesday, 7 April 2015 17:08:22 UTC