[whatwg] The choice of script global object to use when the script element is moved
Adam Barth
w3c at adambarth.com
Wed Sep 8 02:20:30 PDT 2010
On Wed, Sep 8, 2010 at 2:10 AM, Anne van Kesteren <annevk at opera.com> wrote:
> On Tue, 07 Sep 2010 22:57:27 +0200, Adam Barth <w3c at adambarth.com> wrote:
>> It sounds like CSP is creating sub-origin privileges. Sub-origin
>> privileges don't really work, so it's unclear to what a sensible
>> result would be.
>
> This is a problem with your alternative CSP proposal as well, no?
>
> https://wiki.mozilla.org/Security/CSP/AllowedScripts
>
> It prevents a bunch of things, but when loaded in an iframe someone else on
> the same-origin can still inject a script of some sorts.
The goal of AllowedScripts is not to limit a privilege to a subset of
an origin. Rather, the goal is to prevent an attacker who can inject
markup into a document from executing script. Put another way, if
you're already executing script, then it's not trying to withhold any
privileges.
Adam
More information about the whatwg
mailing list