25566 2014-05-06 03:00:54 +0000 [imports]: Supporting more than just the script-src CSP directive in imports. 2015-07-06 08:12:33 +0000 1 1 1 Unclassified WebAppsWG HISTORICAL - Component Model unspecified PC All RESOLVED MOVED P2 normal --- 20683 24632 1 pdr morrita adamk annevk dglazkov esprehn fbraun hillbrad mike public-webapps www-dom public-webapps-bugzilla oldest_to_newest 105147 0 pdr 2014-05-06 03:00:54 +0000 The Content Security Policy section of HTML Imports currently specifies: "Content Security Policy must restrict import loading through the script-src directive." There seems to be a slight mismatch between the CSP directives and what HTML Imports supports. For example, I can imagine html imports being used for just html+css, or just svg without script. I don't have a great suggestion for how to support this other than additional import types such as "import-src". Doing this would require spec'ing how the transitive CSP dependencies of imports works. 105162 1 fbraun 2014-05-06 07:57:20 +0000 Let's make sure resolving this issue does not involve monkey patching the CSP spec :) The web application security working group has discussed imports and CSP previously and came to the conclusion that it should indeed fall under the script-src directive: http://lists.w3.org/Archives/Public/public-webappsec/2013Apr/0079.html (CCing Brad Hill) 105175 2 annevk 2014-05-06 12:39:36 +0000 A thing you could potentially do here is have gradations. E.g. you could still allow loading HTML imports, but not execute their scripts. Part of the problem here is that we do not really know what the declarative version will look like... 121709 3 hayato 2015-07-06 08:12:33 +0000 Moved to https://github.com/w3c/webcomponents/issues/217