W3C home > Mailing lists > Public > public-web-security@w3.org > June 2011

Re: CSP and web analytics

From: Daniel Veditz <dveditz@mozilla.com>
Date: Fri, 10 Jun 2011 21:56:56 -0700
Message-ID: <4DF2F598.9050101@mozilla.com>
To: John Wilander <john.wilander@owasp.org>
CC: public-web-security@w3.org
On 6/8/11 12:38 PM, John Wilander wrote:
> I actually started thinking about whitelisted script element ids to
> augment CSP statements and allow for e.g. inline analytics blocks.
> But then I ran into what we'd like to call "DOM Identity Theft"
> since browsers are specified to return the /first/ element with the
> given id when getElementById() is called. Is the technique already
> known? Under a different name?.
> Signed code blocks are to fragile I think. Randomized ids may be a
> way forward – whitelist a given script element id, browser augments
> it with random string at rendering.

We've talked about "script-keys" before. It can be used to address
script injection so in some ways it could an alternative to CSP (if
there's interest), or it could be incorporated as part of CSP as an
extra layer of protection (especially for sites who feel the need to
enable inline scripts).

We left it out in the interest of making progress standardizing what
we already have but it's certainly worth discussing as a standalone
feature or a later addition to CSP.

-Dan Veditz
Received on Saturday, 11 June 2011 04:57:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:09:26 UTC