W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2015

Re: HTML Imports and CSP

From: Justin Fagnani <justinfagnani@google.com>
Date: Fri, 27 Mar 2015 13:04:07 -0700
Message-ID: <CAEKsHmC2ConTyW+fF4GBAR6_GzMeixJOThju8rSXvZkY-8NNhQ@mail.gmail.com>
To: public-webappsec@w3.org
(sorry for the poor by-hand quoting, lists.w3.org isn't quoting for me)

Mike West <mkwst@google.com>:
> the 'unsafe-static-inline' source expression that Adam proposed in
> https://code.google.com/p/chromium/issues/detail?id=393307#c7 seems like a
> reasonable first step.

I don't think this will be quite enough, since dynamically adding <link>s
to the document to trigger an import is a common pattern for deferred
loading of components, and for plug-in systems like what Atom.io is looking
to use imports for.

-Justin
Received on Friday, 27 March 2015 20:04:54 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC