- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Mon, 30 Mar 2015 13:52:23 -0700
- To: Mike West <mkwst@google.com>
- Cc: Justin Fagnani <justinfagnani@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> For clarity, I think we should simply allow script inlined into an HTML > Import. There doesn't seem to be additional risk above and beyond what the script inlined if the main page allows inline script via unsafe-inline? then, sure. > author has already accepted by whitelisting the Import's URL as part of the > `script-src` directive. Why not create a new directive? cheers Dev > > -mike > > -- > Mike West <mkwst@google.com>, @mikewest > > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, > Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: > Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 30 March 2015 20:53:11 UTC