- From: Bil Corry <bil@corry.biz>
- Date: Thu, 09 Jun 2011 10:07:30 -0700
- To: gaz Heyes <gazheyes@gmail.com>
- CC: John Wilander <john.wilander@owasp.org>, public-web-security@w3.org
gaz Heyes wrote on 6/8/2011 12:53 PM: > On 8 June 2011 20:38, John Wilander <john.wilander@owasp.org > <mailto:john.wilander@owasp.org>> wrote: > > I actually started thinking about whitelisted script element ids to > augment CSP statements and allow for e.g. inline analytics blocks. > But then I ran into what we'd like to call "DOM Identity Theft" since > browsers are specified to return the /first/ element with the given > id when getElementById() is called. Is the technique already known? > Under a different name?. > > > Glad to see you're on the same page ;) Yeah there is another name, > DOM Clobbering, I'd don't mind what name is given as long as it isn't > plastered all over the media. As you can imagine it gets quite fun > with analytics + clobbering Do you have a link to a resource describing "DOM Clobbering"? Google only found a single mention, your quote above: http://www.google.com/search?q=%22dom+clobbering%22 Maybe John should write up his "DOM Identity Theft". - Bil
Received on Thursday, 9 June 2011 17:08:24 UTC