W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2015

Re: HTML Imports and CSP

From: Nathan Sobo <nathan@github.com>
Date: Fri, 27 Mar 2015 16:23:32 -0600
Message-ID: <CAPEVo5Jxo8R2zx91TjWx73RH0HaRj6_VEwcVvGDiuRpcqmoXxg@mail.gmail.com>
To: public-webappsec@w3.org
Nathan Sobo from the Atom core team here.

For us, the most intuitive solution would be to allow a nonce attribute to
be specified on an import, similar to how a nonce can be applied to an
inline script. When applied to an import, the nonce would apply
transitively to all script tags in all imported documents. It would only
apply for inline scripts present at the time of import. Script tags added
to imported documents *after* the fact would not have a nonce automatically
applied.

We use a CSP in Atom to prevent package authors from accidentally inserting
script tags into the document, for example, when previewing a markdown
document. However, if they're explicitly asking to do an HTML import, then
their intent is clear, and we'd like them to be able to run imported
scripts if they have access to the current CSP nonce.

Can anyone articulate to me anything I might be missing here? Would this be
a workable solution from a security perspective?
Received on Friday, 27 March 2015 22:24:00 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC