W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2015

Re: HTML Imports and CSP

From: Joel Weinberger <jww@chromium.org>
Date: Mon, 30 Mar 2015 21:04:57 +0000
Message-ID: <CAHQV2KnV_4y_DyrEyW3WNhQUVaJhSRu0tA0dt+oeAH45aNm2HA@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>, Mike West <mkwst@google.com>
Cc: Justin Fagnani <justinfagnani@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
All of this is well-and-good for the "static inline" case, as described in
Adam's original proposal. That is, I certainly agree that nonce/hash + an
src directive (I have a preference for a new directive, as Dev mentioned,
but script-src would work as well) would be "good enough" here. But what do
we then about non-static import case?

That is, as Alex Russell has suggested, we should assume that developers
will start dynamically generating modules based on untrusted input, and the
approaches we're discussing would force developers to blindly whitelist
their contents. Shouldn't we have a way for a module developer who wants to
specify a policy for their content to do so? Or are all of you arguing that
we shouldn't expect this issue/we should cross that bridge when we come to
it?

It seems to me that importable documents should be able to specify a unique
policy for their import (in addition to having the outer page specify a
policy about what can be imported).
--Joel

On Mon, Mar 30, 2015 at 1:56 PM Devdatta Akhawe <dev.akhawe@gmail.com>
wrote:

> > For clarity, I think we should simply allow script inlined into an HTML
> > Import. There doesn't seem to be additional risk above and beyond what
> the
>
> script inlined if the main page allows inline script via
> unsafe-inline? then, sure.
>
> > author has already accepted by whitelisting the Import's URL as part of
> the
> > `script-src` directive.
>
> Why not create a new directive?
>
>
> cheers
> Dev
>
> >
> > -mike
> >
> > --
> > Mike West <mkwst@google.com>, @mikewest
> >
> > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany,
> > Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft:
> > Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores
> > (Sorry; I'm legally required to add this exciting detail to emails.
> Bleh.)
>
>
Received on Monday, 30 March 2015 21:05:25 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC