[whatwg] The choice of script global object to use when the script element is moved

Jonas Sicking jonas at sicking.cc
Wed Sep 8 10:05:01 PDT 2010


On Wed, Sep 8, 2010 at 2:24 AM, Anne van Kesteren <annevk at opera.com> wrote:
> On Wed, 08 Sep 2010 11:20:30 +0200, Adam Barth <w3c at adambarth.com> wrote:
>>
>> The goal of AllowedScripts is not to limit a privilege to a subset of
>> an origin.  Rather, the goal is to prevent an attacker who can inject
>> markup into a document from executing script.  Put another way, if
>> you're already executing script, then it's not trying to withhold any
>> privileges.
>
> Fair enough. I guess if one page gets compromised all else that is same
> origin is lost anyway.

As I understand it, this is the general design thinking for CSP too.

Additionally, the recommended best practices is to use the same CSP
policies for all urls in a domain, which also avoids the discussed
attack.

/ Jonas



More information about the whatwg mailing list