W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2013

Re: Including the Javascript stack trace in the ContentSecurityPolicy report

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Fri, 02 Aug 2013 12:43:36 -0400
Message-ID: <51FBE1B8.1050508@mit.edu>
To: public-webappsec@w3.org
On 8/2/13 12:40 PM, Boris Zbarsky wrote:
>> The extra cost only occurs if a violation is detected which is expected
>> to be a rare event.
>
> The extra cost is that of either forcing CSP checks to be sync under DOM
> mutations or forcing DOM mutations to snapshot JS callstacks.

Oh, and I guess only in the case when there is a CSP.  So one obvious 
optimization for UAs is to continue doing load processing async but 
deoptimize the "has CSP" case by only snapshotting stacks on DOM 
mutations if there is a policy.  Which also seems suboptimal.  :(

-Boris
Received on Friday, 2 August 2013 16:44:05 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:02 UTC