W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2015

Re: HTML Imports and CSP

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Sat, 28 Mar 2015 22:23:29 -0700
Message-ID: <CAPfop_2iX99uObNCi57T4S+PoeoUjwJrV7GvsZ+h_uFs5+EFVQ@mail.gmail.com>
To: Justin Fagnani <justinfagnani@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
> I don't think this will be quite enough, since dynamically adding <link>s to
> the document to trigger an import is a common pattern for deferred loading
> of components, and for plug-in systems like what Atom.io is looking to use
> imports for.

Interesting. My read was that this would still be allowed by the
hypothetical unsafe-static-inline element. The link tag creates an
import, but doesn't have inline script. The actual inline script is in
the target of the link tag and the parser is created by a network
fetch, so wouldn't be a script created parser per se.

That said, I am actually not a fan of the proposal because I don't
think it gives us security nor does it solve all use cases.

cheers
Dev
Received on Sunday, 29 March 2015 05:24:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC