On Tue, Sep 7, 2010 at 1:40 AM, Henri Sivonen <hsivo...@iki.fi> wrote: > On Sep 3, 2010, at 20:55, Jonas Sicking wrote: >> On Fri, Sep 3, 2010 at 10:47 AM, Adam Barth <w...@adambarth.com> wrote: >>> I'm not sure it makes much of a difference from a security point of >>> view. >> >> Agreed. Pages can only move elements between pages that are in the >> same security context anyway so I can't really think of any attacks >> that any of the approaches would enable or disable. > > Suppose there are two docs from one Origin. The document that the parser is > associated with doesn't have a CSP. A script in it moves a node in such a way > that the parser ends up inserting subsequent scripts into another document. > That document has a CSP that bans scripts. Would you consider it a bug if a > script ran in the context of the script global object of the document whose > CSP says no scripts?
It sounds like CSP is creating sub-origin privileges. Sub-origin privileges don't really work, so it's unclear to what a sensible result would be. Adam