- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 8 Sep 2010 02:20:30 -0700
On Wed, Sep 8, 2010 at 2:10 AM, Anne van Kesteren <annevk at opera.com> wrote: > On Tue, 07 Sep 2010 22:57:27 +0200, Adam Barth <w3c at adambarth.com> wrote: >> It sounds like CSP is creating sub-origin privileges. ?Sub-origin >> privileges don't really work, so it's unclear to what a sensible >> result would be. > > This is a problem with your alternative CSP proposal as well, no? > > https://wiki.mozilla.org/Security/CSP/AllowedScripts > > It prevents a bunch of things, but when loaded in an iframe someone else on > the same-origin can still inject a script of some sorts. The goal of AllowedScripts is not to limit a privilege to a subset of an origin. Rather, the goal is to prevent an attacker who can inject markup into a document from executing script. Put another way, if you're already executing script, then it's not trying to withhold any privileges. Adam
Received on Wednesday, 8 September 2010 02:20:30 UTC