- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Sat, 28 Mar 2015 22:23:29 -0700
- To: Justin Fagnani <justinfagnani@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
> I don't think this will be quite enough, since dynamically adding <link>s to > the document to trigger an import is a common pattern for deferred loading > of components, and for plug-in systems like what Atom.io is looking to use > imports for. Interesting. My read was that this would still be allowed by the hypothetical unsafe-static-inline element. The link tag creates an import, but doesn't have inline script. The actual inline script is in the target of the link tag and the parser is created by a network fetch, so wouldn't be a script created parser per se. That said, I am actually not a fan of the proposal because I don't think it gives us security nor does it solve all use cases. cheers Dev
Received on Sunday, 29 March 2015 05:24:17 UTC