- From: Deian Stefan <deian@cs.stanford.edu>
- Date: Thu, 29 Jan 2015 17:30:28 -0800
- To: david kaye <dfkaye@yahoo.com>, Mike West <mkwst@google.com>
- Cc: "public-webappsec\@w3.org" <public-webappsec@w3.org>
david kaye <dfkaye@yahoo.com> writes: > Deian, > Hadn't thought of that - good one. > So, given: > //untrusted.evil/file1.jsfunction f(str) { > eval('alert("w00t")')} > //trusted.com/file1.js > f('3+4'); > I would expect an error as f is defined in the untrusted file. > > If the engines don't mark or source-map definitions by path, then it's not something CSP can specify/enforce by itself. > Should I take this up with es-discuss and circle back? I think that there is a patch for Chromium that associates labels (origins) with strings, but I don't think that this has landed (nor if it ever will). This may help going beyond the on/off model, but I think that coming up with semantics that are not ad-hoc is hard. (Though interesting to think about further.) Maybe someone on es-discuss had thought about this more than me though. Best, Deian
Received on Friday, 30 January 2015 01:30:54 UTC