Re: CSP and web analytics

On 8 June 2011 20:38, John Wilander <> wrote:

> I actually started thinking about whitelisted script element ids to augment
> CSP statements and allow for e.g. inline analytics blocks. But then I ran
> into what we'd like to call "DOM Identity Theft" since browsers are
> specified to return the *first* element with the given id when
> getElementById() is called. Is the technique already known? Under a
> different name?.

Glad to see you're on the same page ;) Yeah there is another name, DOM
Clobbering, I'd don't mind what name is given as long as it isn't plastered
all over the media. As you can imagine it gets quite fun with analytics +

Received on Wednesday, 8 June 2011 19:54:06 UTC