Hi there! I wanted to raise this question again in the context of using polymer in Chromium. We have the issue that there are strong reasons not to include node.js in our toolchain (and thus not to use vulcanize in our build).
A few questions: 1) I'm not completely clear on the implications of abarth@'s comments. Use of polymer elements in Chrome would typically be in things like locally loaded extensions. My understanding is that HTML imports of local files that contain inline scripts will still violate CSP. Is this true? 2) Is it possible to make the polymer library elements CSP compliant. Whether or not a developer wants to adhere to CSP in their own polymer elements is up to them, but by making the library elements violate CSP they don't have the option. I realize it was asked before but the answer wasn't completely clear. See the context in: https://plus.sandbox.google.com/u/0/111967095663552818484/posts/es6eDhXc1m6 for more info. Thanks! Raymes On Thursday, October 3, 2013 3:14:25 AM UTC+10, Scott Miles wrote: > > Thanks everybody for the updates. > > Scott > > > On Wed, Oct 2, 2013 at 3:36 AM, Hajime Morrita <[email protected]<javascript:> > > wrote: > >> >> >> >> On Wed, Oct 2, 2013 at 7:12 AM, Adam Barth <[email protected]<javascript:> >> > wrote: >> >>> I'd recommend the following: >>> >>> 1) When a document tries to import HTML from a URL, we use the >>> document's script-src directive to tell whether it should be allowed to do >>> that. >>> 2) For an imported document, we should use the CSP policy that the >>> server supplied with the imported document. >>> >> >> And Blink's behind-the-flag implementation is supporting this. >> CSP1.1 ED vaguely mentions this as well. >> https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html >> The description will be clarified to align this direction as it gets >> polished. >> >> >> >>> >>> In particular, that means that inline script and style are allowed in >>> imported documents by default even if they're banned in the main document. >>> The server has the option, of course, to restrict that further by >>> supplying a tighter CSP policy in the HTTP response that contains the >>> imported document. >>> >>> Adam >>> >>> >>> >>> On Tue, Oct 1, 2013 at 3:02 PM, Dimitri Glazkov >>> <[email protected]<javascript:> >>> > wrote: >>> >>>> +abarth, the editor of CSP spec. >>>> >>>> Adam, WDYT? >>>> >>>> :DG< >>>> >>>> >>>> On Tue, Oct 1, 2013 at 9:54 AM, Erik Arvidsson >>>> <[email protected]<javascript:> >>>> > wrote: >>>> >>>>> >>>>> >>>>> >>>>> On Tue, Oct 1, 2013 at 12:36 PM, Scott Miles >>>>> <[email protected]<javascript:> >>>>> > wrote: >>>>> >>>>>> >> Once HTMLImport is supported natively there is no CSP issue any >>>>>> more. >>>>>> >>>>>> Assuming HTMLImport will be able to execute inline-script and still >>>>>> be CSP-compliant. I'm not aware of any official word on this question. >>>>>> >>>>> >>>>> Good point. I just assumed that inline script in an external >>>>> HTMLImport would work. It needs some careful analysis to make sure we do >>>>> not introduce a way to do XSS using HTMLImports. >>>>> >>>>> >>>>>> >>>>>> Failing that ability, we will be in the same boat. >>>>>> >>>>>> >>>>>> On Tue, Oct 1, 2013 at 9:32 AM, Erik Arvidsson >>>>>> <[email protected]<javascript:> >>>>>> > wrote: >>>>>> >>>>>>> On Tue, Oct 1, 2013 at 12:21 PM, <[email protected]<javascript:> >>>>>>> > wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Tuesday, October 1, 2013 9:02:55 AM UTC-7, Scott Miles wrote: >>>>>>>>> >>>>>>>>> Fwiw, only the debug version of the Polymer loader uses >>>>>>>>> `document.write`. For CSP applications, you should use >>>>>>>>> `polymer.min.js`. >>>>>>>>> >>>>>>>> >>>>>>>> I am only interested in the debug version....I work on debuggers ;-) >>>>>>>> >>>>>>> >>>>>>> Polymer has source maps. If that is not good enough, maybe we can >>>>>>> improve the source maps support in the dev tools =P >>>>>>> >>>>>>> We prefer including our HTML and JS together in component >>>>>>>>> declarations, so it's not likely we will change all the polymer >>>>>>>>> elements to >>>>>>>>> CSP-safe format. >>>>>>>>> >>>>>>>> >>>>>>>> I agree with your preference, but because Chrome requires CSP, >>>>>>>> polymer is not an option. >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> However, the `Vulcanizer` >>>>>>>>> tool<https://github.com/Polymer/labs/tree/master/vulcanize>is offered >>>>>>>>> to collate application dependencies, concatenate files, and >>>>>>>>> externalize all javascript for CSP compliance. >>>>>>>>> >>>>>>>> >>>>>>>> The whole point of a scripting language is to trade the advantages >>>>>>>> of compile-time type-checking for rapid development cycles. Requiring >>>>>>>> a >>>>>>>> build for development is nuts IMO. >>>>>>>> >>>>>>> >>>>>>> Once HTMLImport is supported natively there is no CSP issue any more. >>>>>>> >>>>>>> I'm not don't think there is an option to do CSP before then without >>>>>>> a build step or a custom hosting server. >>>>>>> >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Tue, Oct 1, 2013 at 8:57 AM, <[email protected]> wrote: >>>>>>>>> >>>>>>>>>> No part of polymer will load under CSP because it uses inline >>>>>>>>>> script tags, eg >>>>>>>>>> document.write('<script>PolymerLoader.load("' + scopeName + >>>>>>>>>> '")</script>'); >>>>>>>>>> https://github.com/Polymer/platform/blob/master/platform.js#L97 >>>>>>>>>> >>>>>>>>>> These would need to be placed in files before Polymer would work >>>>>>>>>> on CSP sites or in Chrome browser extensions. >>>>>>>>>> >>>>>>>>>> (This cost would be tolerable if CSP had value). >>>>>>>>>> >>>>>>>>>> jjb >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Friday, September 27, 2013 5:19:54 PM UTC-7, Viet Hoa Dinh >>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> Hi all >>>>>>>>>>> >>>>>>>>>>> Here's how the ui toolbar components HTML part looks like: >>>>>>>>>>> >>>>>>>>>>> <link rel="import" href="../polymer-ui-theme-awar >>>>>>>>>>> e/polymer-ui-theme-aware.html"> >>>>>>>>>>> <link rel="import" href="../../polymer-elements/p >>>>>>>>>>> olymer-media-query/polymer-media-query.html"> >>>>>>>>>>> <link rel="import" href="../../polymer-elements/p >>>>>>>>>>> olymer-flex-layout/polymer-flex-layout.html"> >>>>>>>>>>> >>>>>>>>>>> <polymer-element name="polymer-ui-toolbar" >>>>>>>>>>> extends="polymer-ui-theme-aware" attributes="responsiveWidth"> >>>>>>>>>>> <template> >>>>>>>>>>> <link rel="stylesheet" href="polymer-ui-toolbar.css"> >>>>>>>>>>> <polymer-flex-layout align="center"></polymer-flex-layout> >>>>>>>>>>> <polymer-media-query query="max-width: {{responsiveWidth}}" >>>>>>>>>>> queryMatches="{{queryMatches}}"></polymer-media-query> >>>>>>>>>>> <content></content> >>>>>>>>>>> </template> >>>>>>>>>>> <script> >>>>>>>>>>> Polymer('polymer-ui-toolbar', { >>>>>>>>>>> responsiveWidth: '800px', >>>>>>>>>>> queryMatches: false, >>>>>>>>>>> queryMatchesChanged: function() { >>>>>>>>>>> this.classList.toggle('narrow-layout', >>>>>>>>>>> this.queryMatches); >>>>>>>>>>> } >>>>>>>>>>> }); >>>>>>>>>>> </script> >>>>>>>>>>> </polymer-element> >>>>>>>>>>> >>>>>>>>>>> *Would it be possible to change it to make it more CSP >>>>>>>>>>> compliant?* >>>>>>>>>>> >>>>>>>>>>> <link rel="import" href="../polymer-ui-theme-awar >>>>>>>>>>> e/polymer-ui-theme-aware.html"> >>>>>>>>>>> <link rel="import" href="../../polymer-elements/p >>>>>>>>>>> olymer-media-query/polymer-media-query.html"> >>>>>>>>>>> <link rel="import" href="../../polymer-elements/p >>>>>>>>>>> olymer-flex-layout/polymer-flex-layout.html"> >>>>>>>>>>> >>>>>>>>>>> <polymer-element name="polymer-ui-toolbar" >>>>>>>>>>> extends="polymer-ui-theme-aware" attributes="responsiveWidth"> >>>>>>>>>>> <template> >>>>>>>>>>> <link rel="stylesheet" href="polymer-ui-toolbar.css"> >>>>>>>>>>> <polymer-flex-layout align="center"></polymer-flex-layout> >>>>>>>>>>> <polymer-media-query query="max-width: {{responsiveWidth}}" >>>>>>>>>>> queryMatches="{{queryMatches}}"></polymer-media-query> >>>>>>>>>>> <content></content> >>>>>>>>>>> </template> >>>>>>>>>>> <script src="polymer-ui-toolbar.js" type="text/javascript"></ >>>>>>>>>>> script> >>>>>>>>>>> </polymer-element> >>>>>>>>>>> >>>>>>>>>>> Would it work with the current version of polymer? >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Hoa V. Dinh >>>>>>>>>>> >>>>>>>>>>> Follow Polymer on Google+: plus.google.com/ >>>>>>>>>> 107187849809354688692 >>>>>>>>>> --- >>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>> Google Groups "Polymer" group. >>>>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>>>> send an email to [email protected]. >>>>>>>>>> >>>>>>>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>>>>>>> >>>>>>>>> >>>>>>>>> Follow Polymer on Google+: plus.google.com/107187849809354688692 >>>>>>>> --- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "Polymer" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected] <javascript:>. >>>>>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> erik >>>>>>> >>>>>>> >>>>>>> Follow Polymer on Google+: plus.google.com/107187849809354688692 >>>>>>> --- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "Polymer" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected] <javascript:>. >>>>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> erik >>>>> >>>>> >>>>> Follow Polymer on Google+: plus.google.com/107187849809354688692 >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Polymer" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected] <javascript:>. >>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>> >>>> >>>> >>> Follow Polymer on Google+: plus.google.com/107187849809354688692 >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "Polymer" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected] <javascript:>. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >> >> >> >> -- >> morrita >> > > Follow Polymer on Google+: plus.google.com/107187849809354688692 --- You received this message because you are subscribed to the Google Groups "Polymer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
