Yup, like I said, it shouldn't be any worse. From what I've seen with chrome, at the very least, import links are handled with the same CSP as script tags. Which is certainly a good thing. I suppose that If you needed the ability to sandbox them further, just wrap them inside a sandboxed iframe. It's a bit ugly but it works. On Jun 2, 2014 5:56 AM, "Anne van Kesteren" <ann...@annevk.nl> wrote:
> On Mon, Jun 2, 2014 at 2:54 PM, James M Snell <jasn...@gmail.com> wrote: > > So long as they're handled with the same policy and restrictions as the > > script tag, it shouldn't be any worse. > > Well, <script> is assumed to be unsafe, <link> is not (at least not to > the same extent). > > > -- > http://annevankesteren.nl/ >
