- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Fri, 02 Aug 2013 12:43:36 -0400
- To: public-webappsec@w3.org
On 8/2/13 12:40 PM, Boris Zbarsky wrote: >> The extra cost only occurs if a violation is detected which is expected >> to be a rare event. > > The extra cost is that of either forcing CSP checks to be sync under DOM > mutations or forcing DOM mutations to snapshot JS callstacks. Oh, and I guess only in the case when there is a CSP. So one obvious optimization for UAs is to continue doing load processing async but deoptimize the "has CSP" case by only snapshotting stacks on DOM mutations if there is a policy. Which also seems suboptimal. :( -Boris
Received on Friday, 2 August 2013 16:44:05 UTC