[Bug 25566] New: [imports]: Supporting more than just the script-src CSP directive in imports. from bugzilla@jessica.w3.org on 2014年05月06日 (www-dom@w3.org from April to June 2014)

From: <bugzilla@jessica.w3.org>
Date: 2014年5月06日 03:00:54 +0000
To: www-dom@w3.org
Message-ID: <bug-25566-4009@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=25566
 Bug ID: 25566
 Summary: [imports]: Supporting more than just the script-src
 CSP directive in imports.
 Product: WebAppsWG
 Version: unspecified
 Hardware: PC
 OS: All
 Status: NEW
 Severity: normal
 Priority: P2
 Component: DOM
 Assignee: morrita@google.com
 Reporter: pdr@google.com
 QA Contact: public-webapps-bugzilla@w3.org
 CC: mike@w3.org, www-dom@w3.org
 Blocks: 20683
The Content Security Policy section of HTML Imports currently specifies:
"Content Security Policy must restrict import loading through the script-src
directive."
There seems to be a slight mismatch between the CSP directives and what HTML
Imports supports. For example, I can imagine html imports being used for just
html+css, or just svg without script.
I don't have a great suggestion for how to support this other than additional
import types such as "import-src". Doing this would require spec'ing how the
transitive CSP dependencies of imports works.
-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Tuesday, 6 May 2014 03:00:55 UTC