Re: CSP and web analytics from gaz Heyes on 2011-06-08 (public-web-security@w3.org from June 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Wed, 8 Jun 2011 20:53:31 +0100
To: John Wilander <john.wilander@owasp.org>
Cc: public-web-security@w3.org
Message-ID: <BANLkTi=MEyZt_nokzQke+DYHcT1s_EpJyQ@mail.gmail.com>

On 8 June 2011 20:38, John Wilander <john.wilander@owasp.org> wrote:

> I actually started thinking about whitelisted script element ids to augment
> CSP statements and allow for e.g. inline analytics blocks. But then I ran
> into what we'd like to call "DOM Identity Theft" since browsers are
> specified to return the *first* element with the given id when
> getElementById() is called. Is the technique already known? Under a
> different name?.
>

Glad to see you're on the same page ;) Yeah there is another name, DOM
Clobbering, I'd don't mind what name is given as long as it isn't plastered
all over the media. As you can imagine it gets quite fun with analytics +
clobbering

Received on Wednesday, 8 June 2011 19:54:06 UTC