- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Fri, 10 Jun 2011 21:56:56 -0700
- To: John Wilander <john.wilander@owasp.org>
- CC: public-web-security@w3.org
On 6/8/11 12:38 PM, John Wilander wrote: > I actually started thinking about whitelisted script element ids to > augment CSP statements and allow for e.g. inline analytics blocks. > But then I ran into what we'd like to call "DOM Identity Theft" > since browsers are specified to return the /first/ element with the > given id when getElementById() is called. Is the technique already > known? Under a different name?. > > Signed code blocks are to fragile I think. Randomized ids may be a > way forward – whitelist a given script element id, browser augments > it with random string at rendering. We've talked about "script-keys" before. It can be used to address script injection so in some ways it could an alternative to CSP (if there's interest), or it could be incorporated as part of CSP as an extra layer of protection (especially for sites who feel the need to enable inline scripts). We left it out in the interest of making progress standardizing what we already have but it's certainly worth discussing as a standalone feature or a later addition to CSP. -Dan Veditz
Received on Saturday, 11 June 2011 04:57:42 UTC