On Tue, Jun 3, 2014 at 9:59 AM, Boris Zbarsky <bzbar...@mit.edu> wrote:
> On 6/3/14, 12:48 PM, Hajime Morrita wrote: > >> HTML Imports are a bit more strict. They see CORS header and decline if >> there is none for cross origin imports. >> Also, requests for imports don't send any credentials to other origins. > > These two measures prevent attacks on other origins via imports. > It does nothing about attacks by the imported script on the page the > import is happening into. Perhaps it would make sense to also require explicit allowing of imports via CSP? Scripts are allowed when no CSP is provided for historical compatibility so you'd need to make sure that imports fell under a separate directive, but there's no need for backwards compatibility so it probably makes sense to choose a more conservative default behaviour for HTML Imports.
