This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
The Content Security Policy section of HTML Imports currently specifies: "Content Security Policy must restrict import loading through the script-src directive." There seems to be a slight mismatch between the CSP directives and what HTML Imports supports. For example, I can imagine html imports being used for just html+css, or just svg without script. I don't have a great suggestion for how to support this other than additional import types such as "import-src". Doing this would require spec'ing how the transitive CSP dependencies of imports works.
Let's make sure resolving this issue does not involve monkey patching the CSP spec :) The web application security working group has discussed imports and CSP previously and came to the conclusion that it should indeed fall under the script-src directive: http://lists.w3.org/Archives/Public/public-webappsec/2013Apr/0079.html (CCing Brad Hill)
A thing you could potentially do here is have gradations. E.g. you could still allow loading HTML imports, but not execute their scripts. Part of the problem here is that we do not really know what the declarative version will look like...
Moved to https://github.com/w3c/webcomponents/issues/217