[whatwg] The choice of script global object to use when the script element is moved

Adam Barth w3c at adambarth.com
Tue Sep 7 13:57:27 PDT 2010


On Tue, Sep 7, 2010 at 1:40 AM, Henri Sivonen <hsivonen at iki.fi> wrote:
> On Sep 3, 2010, at 20:55, Jonas Sicking wrote:
>> On Fri, Sep 3, 2010 at 10:47 AM, Adam Barth <w3c at adambarth.com> wrote:
>>> I'm not sure it makes much of a difference from a security point of
>>> view.
>>
>> Agreed. Pages can only move elements between pages that are in the
>> same security context anyway so I can't really think of any attacks
>> that any of the approaches would enable or disable.
>
> Suppose there are two docs from one Origin. The document that the parser is associated with doesn't have a CSP. A script in it moves a node in such a way that the parser ends up inserting subsequent scripts into another document. That document has a CSP that bans scripts. Would you consider it a bug if a script ran in the context of the script global object of the document whose CSP says no scripts?

It sounds like CSP is creating sub-origin privileges.  Sub-origin
privileges don't really work, so it's unclear to what a sensible
result would be.

Adam



More information about the whatwg mailing list