- From: Nathan Sobo <nathan@github.com>
- Date: Fri, 27 Mar 2015 16:23:32 -0600
- To: public-webappsec@w3.org
- Message-ID: <CAPEVo5Jxo8R2zx91TjWx73RH0HaRj6_VEwcVvGDiuRpcqmoXxg@mail.gmail.com>
Nathan Sobo from the Atom core team here. For us, the most intuitive solution would be to allow a nonce attribute to be specified on an import, similar to how a nonce can be applied to an inline script. When applied to an import, the nonce would apply transitively to all script tags in all imported documents. It would only apply for inline scripts present at the time of import. Script tags added to imported documents *after* the fact would not have a nonce automatically applied. We use a CSP in Atom to prevent package authors from accidentally inserting script tags into the document, for example, when previewing a markdown document. However, if they're explicitly asking to do an HTML import, then their intent is clear, and we'd like them to be able to run imported scripts if they have access to the current CSP nonce. Can anyone articulate to me anything I might be missing here? Would this be a workable solution from a security perspective?
Received on Friday, 27 March 2015 22:24:00 UTC