On Mon, Mar 30, 2015 at 10:52 PM, Devdatta Akhawe <dev.akhawe@gmail.com>
wrote:
> > For clarity, I think we should simply allow script inlined into an HTML
> > Import. There doesn't seem to be additional risk above and beyond what
> the
>
> script inlined if the main page allows inline script via
> unsafe-inline? then, sure.
>
No. Script inlined in the import if the import is whitelisted via
`script-src`. Basically, `script-src` says "It's ok to load script from
over here." The fact that that script is contained in an imported HTML
document rather than in a script resource doesn't seem terribly relevant,
does it?
> > author has already accepted by whitelisting the Import's URL as part of
> the
> > `script-src` directive.
>
> Why not create a new directive?
>
In theory, a new directive is totally reasonable. Practically, I worry that
folks who are currently protected from bad imports via `script-src` would
cease to be protected if they had to define `import-src` or something
similar.
--
Mike West <mkwst@google.com>, @mikewest
Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)