W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: CSP and web analytics

From: Bil Corry <bil@corry.biz>
Date: Thu, 09 Jun 2011 10:07:30 -0700
Message-ID: <4DF0FDD2.8030406@corry.biz>
To: gaz Heyes <gazheyes@gmail.com>
CC: John Wilander <john.wilander@owasp.org>, public-web-security@w3.org
gaz Heyes wrote on 6/8/2011 12:53 PM:
> On 8 June 2011 20:38, John Wilander <john.wilander@owasp.org
> <mailto:john.wilander@owasp.org>> wrote:
>
> I actually started thinking about whitelisted script element ids to
> augment CSP statements and allow for e.g. inline analytics blocks.
> But then I ran into what we'd like to call "DOM Identity Theft" since
> browsers are specified to return the /first/ element with the given
> id when getElementById() is called. Is the technique already known?
> Under a different name?.
>
>
> Glad to see you're on the same page ;) Yeah there is another name,
> DOM Clobbering, I'd don't mind what name is given as long as it isn't
> plastered all over the media. As you can imagine it gets quite fun
> with analytics + clobbering

Do you have a link to a resource describing "DOM Clobbering"?  Google only found a single mention, your quote above:

	http://www.google.com/search?q=%22dom+clobbering%22

Maybe John should write up his "DOM Identity Theft".


- Bil
Received on Thursday, 9 June 2011 17:08:24 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:26:19 UTC