- From: Deian Stefan <deian@cs.stanford.edu>
- Date: Thu, 29 Jan 2015 17:30:28 -0800
- To: david kaye <dfkaye@yahoo.com>, Mike West <mkwst@google.com>
- Cc: "public-webappsec\@w3.org" <public-webappsec@w3.org>
david kaye <dfkaye@yahoo.com> writes:
> Deian,
> Hadn't thought of that - good one.
> So, given:
> //untrusted.evil/file1.jsfunction f(str) {
> eval('alert("w00t")')}
> //trusted.com/file1.js
> f('3+4');
> I would expect an error as f is defined in the untrusted file.
>
> If the engines don't mark or source-map definitions by path, then it's not something CSP can specify/enforce by itself.
> Should I take this up with es-discuss and circle back?
I think that there is a patch for Chromium that associates labels
(origins) with strings, but I don't think that this has landed (nor if
it ever will). This may help going beyond the on/off model, but I think
that coming up with semantics that are not ad-hoc is hard. (Though
interesting to think about further.) Maybe someone on es-discuss had
thought about this more than me though.
Best,
Deian
Received on Friday, 30 January 2015 01:30:54 UTC