How to ensure that your script runs first in a webpage

Russell Leggett russell.leggett at
Thu Feb 2 07:19:41 PST 2012

> You're making me realize that in (CSP-disabled) browsers, running first
> may not be enough. Considering inline scripts, these can run after you, but
> can be hurtful anyway.
> For instance, even if you run first, you can't prevent later inline
> scripts from accessing the "document" property of the global object (it is
> non-configurable and the spec is the one saying so [1])

Yes, I agree with you here, I was just contending that CSP should not be
required to be able to run first.

>  I think I said this before and you mentioned the title tag.
> (snip)
> Regardless of before of after the title tag, if we want run first, it
> seems necessary (in CSP-disabled browsers) to have an inline synchronous
> <script>. This is annoying for performance. However, it seems that CSP
> allows not only to safely run any JavaScript in the page, but to do it with
> performance as well (actually, a web browser, when seeing only one URL in
> the script-src directive could decide to fetch the js file even before the
> HTML has finished being downloaded).
This is an important point. I will concede that I like to put all my script
tags at the bottom of the page for precisely this reason. Being able to put
the protection script at the bottom for performance reasons and still
guarantee running first would definitely be a win.

 Ultimately, while I think there is value in CSP, for sure, in this case
> isn't it just easier to put your protection script all the way at the top?
> I would be happy to see a counter-example.
> Inline scripts which have access to the document object (which can easily
> be ab-used for phishing)?
As I said above, CSP provides additional protection that I'm happy to have,
but as this thread is titled, "How to ensure that your script runs first in
a webpage," that is what I was trying to debate. As long as I put my
protection script as the first element of the head tag, is there any way
that a malicious attacker could somehow run a script first. I think the
answer is no. That is the counter-example I am looking for.

- Russ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the es-discuss mailing list