On Wed, Feb 1, 2012 at 2:41 PM, David Bruant <bruan...@gmail.com> wrote: > Hi, > > I have claimed here a couple of times, that in a JavaScript application > containing code from different parties, the first to run is the one that > is in position to make decisions about security of the overall > application (freezing the primordials for a defender or monkey-patching > them if you're an attacker). I still have no proof (I feel it's coming > though) about it, but a strong intuition. > > Assuming this is true, then, on the web, one has to make sure that her > protecting script runs first. How to ensure this, though? There is > always a risk that with an XSS an attacker scripts runs before the > protecting one. > I think I have found an answer and it is: with Content Security Policy > (CSP) [1].
Perhaps you can help me understand your reasoning here. To me, you have indeed "found the answer" and the "one that is in position to make decisions about security of the overall application" is in fact the browser the implements CSP. I guess you have some use case in mind that you might share. It seems to me if you don't want a script to load, then don't load it. But somehow you want to load this attacker then prevent it from being successful? jjb _______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss