JavaScript security in CSP-enabled browsers (was: Re: How to ensure that your script runs first in a webpage)

David Bruant bruant.d at
Thu Feb 2 07:36:20 PST 2012

Le 02/02/2012 16:19, Russell Leggett a écrit :
> I was just contending that CSP should not be required to be able to 
> run first.
> As I said above, CSP provides additional protection that I'm happy to 
> have, but as this thread is titled, "How to ensure that your script 
> runs first in a webpage," that is what I was trying to debate. As long 
> as I put my protection script as the first element of the head tag, is 
> there any way that a malicious attacker could somehow run a script 
> first. I think the answer is no. That is the counter-example I am 
> looking for.
I guess I mistitled my post :-)

As you note, CSP is not necessary to ensure running your script first, 
but it makes easy to ensure this property, while in some cases, you may 
put some script at the end or someone with good intentions can put the 
@defer attribute and without thinking about it, you've lost the your 
first place.
However, with CSP, since only one script runs (assuming the platform 
supports it of course), it's the first, regardless of where it is in the 
document and the attributes that you've provided (@async or @defer), 
allowing you more flexibility.

Sorry for the confusing title :-)


More information about the es-discuss mailing list