W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2015

Re: HTML Imports and CSP

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Mon, 30 Mar 2015 13:52:23 -0700
Message-ID: <CAPfop_26Jag5jR6inc+=8dQ-j8krP-eHntv0aB-MdR46KTnYfQ@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Justin Fagnani <justinfagnani@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> For clarity, I think we should simply allow script inlined into an HTML
> Import. There doesn't seem to be additional risk above and beyond what the

script inlined if the main page allows inline script via
unsafe-inline? then, sure.

> author has already accepted by whitelisting the Import's URL as part of the
> `script-src` directive.

Why not create a new directive?


> -mike
> --
> Mike West <mkwst@google.com>, @mikewest
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany,
> Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft:
> Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 30 March 2015 20:53:11 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC