Importing modules inside HTML imports

John Barton johnjbarton at google.com
Mon Aug 18 07:57:04 PDT 2014


On Mon, Aug 18, 2014 at 12:57 AM, Anne van Kesteren <annevk at annevk.nl>
wrote:

> On Sun, Aug 17, 2014 at 8:52 PM, John Barton <johnjbarton at google.com>
> wrote:
> > The argument goes like this: we all want secure Web pages, we can't
> secure
> > Web pages that allow inline scripts, therefore we have to ban inline
> > scripts.
> >
> > If the argument is wrong, ignore my advice, CSP will die.  I personally
> > think that would be great.
>
> It seems you did not read what I wrote. CSP does support inline
> scripts these days.
>

So you are claiming that CSP no longer restricts inline scripts and that
the various online docs are incorrect?  Or only that the server  set the
"unsafe-inline" value to opt out of the restriction?

Some of the sites that make me think this has not changed:

http://www.w3.org/TR/CSP/
In either case, authors should not include 'unsafe-inline' in their CSP
policies if they wish to protect themselves against XSS.

https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives
*Note:* Both 'unsafe-inline' and 'unsafe-eval' are unsafe and can open your
web site up to cross-site scripting vulnerabilities.

http://content-security-policy.com/

jjb
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/es-discuss/attachments/20140818/049df920/attachment-0001.html>


More information about the es-discuss mailing list