[imports]: Supporting more than just the script-src CSP directive in imports. (bugzilla: 25566)

[hayatoito]

Title: [imports]: Supporting more than just the script-src CSP directive in imports. (bugzilla: 25566)

Migrated from: https://www.w3.org/Bugs/Public/show_bug.cgi?id=25566

---

comment: 0
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=25566#c0
Philip Rogers wrote on 2014-05-06 03:00:54 +0000.

The Content Security Policy section of HTML Imports currently specifies: "Content Security Policy must restrict import loading through the script-src directive."

There seems to be a slight mismatch between the CSP directives and what HTML Imports supports. For example, I can imagine html imports being used for just html+css, or just svg without script.

I don't have a great suggestion for how to support this other than additional import types such as "import-src". Doing this would require spec'ing how the transitive CSP dependencies of imports works.

---

comment: 1
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=25566#c1
** wrote on 2014-05-06 07:57:20 +0000.

Let's make sure resolving this issue does not involve monkey patching the CSP spec :)

The web application security working group has discussed imports and CSP previously and came to the conclusion that it should indeed fall under the script-src directive: http://lists.w3.org/Archives/Public/public-webappsec/2013Apr/0079.html

(CCing Brad Hill)

---

comment: 2
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=25566#c2
Anne wrote on 2014-05-06 12:39:36 +0000.

A thing you could potentially do here is have gradations. E.g. you could still allow loading HTML imports, but not execute their scripts.

Part of the problem here is that we do not really know what the declarative version will look like...

[TakayoshiKochi]

This has been open without any discussion for some time, and as HTML Imports spec is no longer actively maintained, closing this without any conclusion.