[whatwg] The choice of script global object to use when the script element is moved

Anne van Kesteren annevk at opera.com
Wed Sep 8 02:10:01 PDT 2010


On Tue, 07 Sep 2010 22:57:27 +0200, Adam Barth <w3c at adambarth.com> wrote:
> It sounds like CSP is creating sub-origin privileges.  Sub-origin
> privileges don't really work, so it's unclear to what a sensible
> result would be.

This is a problem with your alternative CSP proposal as well, no?

https://wiki.mozilla.org/Security/CSP/AllowedScripts

It prevents a bunch of things, but when loaded in an iframe someone else  
on the same-origin can still inject a script of some sorts.


-- 
Anne van Kesteren
http://annevankesteren.nl/



More information about the whatwg mailing list