W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2015

Re: HTML Imports and CSP

From: Mike West <mkwst@google.com>
Date: Tue, 31 Mar 2015 11:06:51 +0200
Message-ID: <CAKXHy=c8i3hUJ7hr0YM+rhryhONs2k_O_hMB35NqDvvc_W3h3A@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Justin Fagnani <justinfagnani@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Mar 30, 2015 at 10:52 PM, Devdatta Akhawe <dev.akhawe@gmail.com>
wrote:

> > For clarity, I think we should simply allow script inlined into an HTML
> > Import. There doesn't seem to be additional risk above and beyond what
> the
>
> script inlined if the main page allows inline script via
> unsafe-inline? then, sure.
>

No. Script inlined in the import if the import is whitelisted via
`script-src`. Basically, `script-src` says "It's ok to load script from
over here." The fact that that script is contained in an imported HTML
document rather than in a script resource doesn't seem terribly relevant,
does it?


> > author has already accepted by whitelisting the Import's URL as part of
> the
> > `script-src` directive.
>
> Why not create a new directive?
>

In theory, a new directive is totally reasonable. Practically, I worry that
folks who are currently protected from bad imports via `script-src` would
cease to be protected if they had to define `import-src` or something
similar.

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 31 March 2015 09:07:42 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC