On Tue, Jun 3, 2014 at 7:20 PM, Oda, Terri <terri....@intel.com> wrote: > Perhaps it would make sense to also require explicit allowing of imports via > CSP? Scripts are allowed when no CSP is provided for historical > compatibility so you'd need to make sure that imports fell under a separate > directive, but there's no need for backwards compatibility so it probably > makes sense to choose a more conservative default behaviour for HTML > Imports.
Using <script import> seems like a solution that would be better in that case, as it does not provide opt-in through HTTP. Whenever we require HTTP for a feature, we get a ton of complaints. And <script import> is not that bad authoring-wise either: <script import></script> <link rel="import" href> (Okay, you win two code points if you omit the quotes with <link>.) -- http://annevankesteren.nl/