Re: CSP and web analytics

gaz Heyes wrote on 6/8/2011 12:53 PM:
> On 8 June 2011 20:38, John Wilander <
> <>> wrote:
> I actually started thinking about whitelisted script element ids to
> augment CSP statements and allow for e.g. inline analytics blocks.
> But then I ran into what we'd like to call "DOM Identity Theft" since
> browsers are specified to return the /first/ element with the given
> id when getElementById() is called. Is the technique already known?
> Under a different name?.
> Glad to see you're on the same page ;) Yeah there is another name,
> DOM Clobbering, I'd don't mind what name is given as long as it isn't
> plastered all over the media. As you can imagine it gets quite fun
> with analytics + clobbering

Do you have a link to a resource describing "DOM Clobbering"?  Google only found a single mention, your quote above:

Maybe John should write up his "DOM Identity Theft".

- Bil

Received on Thursday, 9 June 2011 17:08:24 UTC