Re: HTML Imports and CSP

This somewhat continues from my previous post about external CSP files:

I think this approach could be used within the imports too via a link
element or perhaps an attribute on the import.

Perhaps imports that have an SRI 'integrity' attribute specified could be
treated as a safer context when coupled with using a CSP nonce.

On 27 March 2015 at 22:23, Nathan Sobo <> wrote:

> Nathan Sobo from the Atom core team here.
> For us, the most intuitive solution would be to allow a nonce attribute to
> be specified on an import, similar to how a nonce can be applied to an
> inline script. When applied to an import, the nonce would apply
> transitively to all script tags in all imported documents. It would only
> apply for inline scripts present at the time of import. Script tags added
> to imported documents *after* the fact would not have a nonce automatically
> applied.
> We use a CSP in Atom to prevent package authors from accidentally
> inserting script tags into the document, for example, when previewing a
> markdown document. However, if they're explicitly asking to do an HTML
> import, then their intent is clear, and we'd like them to be able to run
> imported scripts if they have access to the current CSP nonce.
> Can anyone articulate to me anything I might be missing here? Would this
> be a workable solution from a security perspective?

Received on Monday, 30 March 2015 08:26:19 UTC