On Wed, Sep 8, 2010 at 2:24 AM, Anne van Kesteren <ann...@opera.com> wrote: > On Wed, 08 Sep 2010 11:20:30 +0200, Adam Barth <w...@adambarth.com> wrote: >> >> The goal of AllowedScripts is not to limit a privilege to a subset of >> an origin. Rather, the goal is to prevent an attacker who can inject >> markup into a document from executing script. Put another way, if >> you're already executing script, then it's not trying to withhold any >> privileges. > > Fair enough. I guess if one page gets compromised all else that is same > origin is lost anyway.
As I understand it, this is the general design thinking for CSP too. Additionally, the recommended best practices is to use the same CSP policies for all urls in a domain, which also avoids the discussed attack. / Jonas
