FAQ bug: polymer fails CSP because of inline script tags not XHR.

[johnjbarton]

http://www.polymer-project.org/faq.html#csp

"This is because the HTML Imports polyfill uses XHR to do its magic. "

Same-origin policy and XHR: http://en.wikipedia.org/wiki/Same_origin_policy

CSP:https://developer.mozilla.org/en-US/docs/Security/CSP

Polymer fails CSP because (at least) it uses inline script tags to simulate module loading.

[sjmiles]

Only the debug version of polymer using inline script tags. Minified polymer (polymer.min.js) does not.

However, the HTML Imports polyfill can execute strings as JavaScript, which requires CSP sandboxing mode, which then disables XHR.

IIRC this is why the FAQ ultimately blames XHR, obviously the reality is more nuanced.

CSP can be satisfied without sandboxing using: (1) polymer.min.js, (2) 100% external JavaScript in elements.

Various Polymer elements use inline script tags, but if custom build your own elements, you can externalize the JS and avoid CSP.

As it's a bad idea to custom build all elements, the vulcanizer tool has been provided which can walk an application's dependency tree and produce concatenated, CSP-friendly source.

[sjmiles]

@ebidel

It's not a big deal, but ideally issues related to the documentation, faq, or home page should be made against the docs repository.

[ebidel]

Fixed in Polymer/old-docs-site@bb7af18