W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: CSP and web analytics

From: Bil Corry <bil@corry.biz>
Date: Thu, 09 Jun 2011 10:07:30 -0700
Message-ID: <4DF0FDD2.8030406@corry.biz>
To: gaz Heyes <gazheyes@gmail.com>
CC: John Wilander <john.wilander@owasp.org>, public-web-security@w3.org
gaz Heyes wrote on 6/8/2011 12:53 PM:
> On 8 June 2011 20:38, John Wilander <john.wilander@owasp.org
> <mailto:john.wilander@owasp.org>> wrote:
> I actually started thinking about whitelisted script element ids to
> augment CSP statements and allow for e.g. inline analytics blocks.
> But then I ran into what we'd like to call "DOM Identity Theft" since
> browsers are specified to return the /first/ element with the given
> id when getElementById() is called. Is the technique already known?
> Under a different name?.
> Glad to see you're on the same page ;) Yeah there is another name,
> DOM Clobbering, I'd don't mind what name is given as long as it isn't
> plastered all over the media. As you can imagine it gets quite fun
> with analytics + clobbering

Do you have a link to a resource describing "DOM Clobbering"?  Google only found a single mention, your quote above:


Maybe John should write up his "DOM Identity Theft".

- Bil
Received on Thursday, 9 June 2011 17:08:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:26 UTC