W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2015

Re: HTML Imports and CSP

From: Jonathan Kingston <jonathan@jooped.com>
Date: Fri, 27 Mar 2015 23:52:43 +0000
Message-ID: <CAKrjaaUa1zz89h4JtbQoowQ+gG6qtBuhcrJLO_1v2nc-0ddVuw@mail.gmail.com>
To: Nathan Sobo <nathan@github.com>
Cc: public-webappsec@w3.org
This somewhat continues from my previous post about external CSP files:
https://lists.w3.org/Archives/Public/public-webappsec/2015Mar/0148.html

I think this approach could be used within the imports too via a link
element or perhaps an attribute on the import.

Perhaps imports that have an SRI 'integrity' attribute specified could be
treated as a safer context when coupled with using a CSP nonce.

On 27 March 2015 at 22:23, Nathan Sobo <nathan@github.com> wrote:

> Nathan Sobo from the Atom core team here.
>
> For us, the most intuitive solution would be to allow a nonce attribute to
> be specified on an import, similar to how a nonce can be applied to an
> inline script. When applied to an import, the nonce would apply
> transitively to all script tags in all imported documents. It would only
> apply for inline scripts present at the time of import. Script tags added
> to imported documents *after* the fact would not have a nonce automatically
> applied.
>
> We use a CSP in Atom to prevent package authors from accidentally
> inserting script tags into the document, for example, when previewing a
> markdown document. However, if they're explicitly asking to do an HTML
> import, then their intent is clear, and we'd like them to be able to run
> imported scripts if they have access to the current CSP nonce.
>
> Can anyone articulate to me anything I might be missing here? Would this
> be a workable solution from a security perspective?
>
Received on Monday, 30 March 2015 08:26:19 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC