On Mon, Mar 30, 2015 at 10:52 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: > > For clarity, I think we should simply allow script inlined into an HTML > > Import. There doesn't seem to be additional risk above and beyond what > the > > script inlined if the main page allows inline script via > unsafe-inline? then, sure. > No. Script inlined in the import if the import is whitelisted via `script-src`. Basically, `script-src` says "It's ok to load script from over here." The fact that that script is contained in an imported HTML document rather than in a script resource doesn't seem terribly relevant, does it? > > author has already accepted by whitelisting the Import's URL as part of > the > > `script-src` directive. > > Why not create a new directive? > In theory, a new directive is totally reasonable. Practically, I worry that folks who are currently protected from bad imports via `script-src` would cease to be protected if they had to define `import-src` or something similar. -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 31 March 2015 09:07:42 UTC