New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should std:xxx be governed by CSP? #40

Open

shhnjk opened this issue Mar 14, 2019 · 0 comments

shhnjk commented Mar 14, 2019

When Layered API increases, there maybe a case where Layered API could be used as a script gadget. And I think browser should provide a way for site owner block loading of std: scripts (e.g. std:virtual-scroller).

Just to be clear, I'm talking about an attack like following, where JS file is hosted within the browser and there's no way for website to block attacker from abusing that script.
https://mksben.l0.cm/2018/05/cve-2018-5175-firefox-csp-strict-dynamic-bypass.html

The text was updated successfully, but these errors were encountered:

shhnjk mentioned this issue

Import maps should be controlled by CSP WICG/import-maps#105

Closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment