[whatwg] The choice of script global object to use when the script element is moved from Jonas Sicking on 2010-09-08 (public-whatwg-archive@w3.org from September 2010)

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 8 Sep 2010 10:05:01 -0700
Message-ID: <AANLkTi=GbjSUKEwOjbAGWczJfMKM-AUGMLA7u-cpw+cS@mail.gmail.com>

On Wed, Sep 8, 2010 at 2:24 AM, Anne van Kesteren <annevk at opera.com> wrote:
> On Wed, 08 Sep 2010 11:20:30 +0200, Adam Barth <w3c at adambarth.com> wrote:
>>
>> The goal of AllowedScripts is not to limit a privilege to a subset of
>> an origin. ?Rather, the goal is to prevent an attacker who can inject
>> markup into a document from executing script. ?Put another way, if
>> you're already executing script, then it's not trying to withhold any
>> privileges.
>
> Fair enough. I guess if one page gets compromised all else that is same
> origin is lost anyway.

As I understand it, this is the general design thinking for CSP too.

Additionally, the recommended best practices is to use the same CSP
policies for all urls in a domain, which also avoids the discussed
attack.

/ Jonas

Received on Wednesday, 8 September 2010 10:05:01 UTC