On Tue, Apr 7, 2015 at 5:58 AM, Mike West <mkwst@google.com> wrote:
> CCing folks who were inadvertently dropped from explicit CC, to widen the
> net.
>
> -mike
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
> On Tue, Apr 7, 2015 at 1:39 PM, Mike West <mkwst@google.com> wrote:
>
>> After thinking about this a bit more over the holidays, I think I'm more
>> in agreement with you than I thought, Dev. :)
>>
>> What do you think about this:
>>
>> 1. Move imports to `import-src` (we'll need to measure usage in Chrome,
>> but assuming this is mostly an extension thing at this point, it should be
>> doable).
>>
>> 2. Give imports their own policy (that is, no longer inherit from the
>> containing document) like Workers and frames, which would enable them to
>> either whitelist `unsafe-inline` themselves, or use nonces/hashes whatever.
>>
>
This seems encouraging. What is the bottom line for developers using CSP?
What is the least that they need to do in order to make HTML Imports usable?
:DG<