How to ensure that your script runs first in a webpage

John J Barton johnjbarton at johnjbarton.com
Wed Feb 1 15:02:07 PST 2012


On Wed, Feb 1, 2012 at 2:41 PM, David Bruant <bruant.d at gmail.com> wrote:
> Hi,
>
> I have claimed here a couple of times, that in a JavaScript application
> containing code from different parties, the first to run is the one that
> is in position to make decisions about security of the overall
> application (freezing the primordials for a defender or monkey-patching
> them if you're an attacker). I still have no proof (I feel it's coming
> though) about it, but a strong intuition.
>
> Assuming this is true, then, on the web, one has to make sure that her
> protecting script runs first. How to ensure this, though? There is
> always a risk that with an XSS an attacker scripts runs before the
> protecting one.
> I think I have found an answer and it is: with Content Security Policy
> (CSP) [1].

Perhaps you can help me understand your reasoning here. To me, you
have indeed "found the answer" and the "one that is in position to
make decisions about security of the overall application" is in fact
the browser the implements CSP.

I guess you have some use case in mind that you might share. It seems
to me if you don't want a script to load, then don't load it. But
somehow you want to load this attacker then prevent it from being
successful?

jjb


More information about the es-discuss mailing list