[whatwg] The choice of script global object to use when the script element is moved
Jonas Sicking
jonas at sicking.cc
Wed Sep 8 10:05:01 PDT 2010
On Wed, Sep 8, 2010 at 2:24 AM, Anne van Kesteren <annevk at opera.com> wrote:
> On Wed, 08 Sep 2010 11:20:30 +0200, Adam Barth <w3c at adambarth.com> wrote:
>>
>> The goal of AllowedScripts is not to limit a privilege to a subset of
>> an origin. Rather, the goal is to prevent an attacker who can inject
>> markup into a document from executing script. Put another way, if
>> you're already executing script, then it's not trying to withhold any
>> privileges.
>
> Fair enough. I guess if one page gets compromised all else that is same
> origin is lost anyway.
As I understand it, this is the general design thinking for CSP too.
Additionally, the recommended best practices is to use the same CSP
policies for all urls in a domain, which also avoids the discussed
attack.
/ Jonas
More information about the whatwg
mailing list