W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: CSP and web analytics

From: gaz Heyes <gazheyes@gmail.com>
Date: Wed, 8 Jun 2011 20:53:31 +0100
Message-ID: <BANLkTi=MEyZt_nokzQke+DYHcT1s_EpJyQ@mail.gmail.com>
To: John Wilander <john.wilander@owasp.org>
Cc: public-web-security@w3.org
On 8 June 2011 20:38, John Wilander <john.wilander@owasp.org> wrote:

> I actually started thinking about whitelisted script element ids to augment
> CSP statements and allow for e.g. inline analytics blocks. But then I ran
> into what we'd like to call "DOM Identity Theft" since browsers are
> specified to return the *first* element with the given id when
> getElementById() is called. Is the technique already known? Under a
> different name?.
>

Glad to see you're on the same page ;) Yeah there is another name, DOM
Clobbering, I'd don't mind what name is given as long as it isn't plastered
all over the media. As you can imagine it gets quite fun with analytics +
clobbering
Received on Wednesday, 8 June 2011 19:54:06 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC