I was just contending that CSP should not be required to be able to
run first.
As I said above, CSP provides additional protection that I'm happy to
have, but as this thread is titled, "How to ensure that your script
runs first in a webpage," that is what I was trying to debate. As long
as I put my protection script as the first element of the head tag, is
there any way that a malicious attacker could somehow run a script
first. I think the answer is no. That is the counter-example I am
looking for.
I guess I mistitled my post :-)
As you note, CSP is not necessary to ensure running your script first,
but it makes easy to ensure this property, while in some cases, you may
put some script at the end or someone with good intentions can put the
@defer attribute and without thinking about it, you've lost the your
first place.
However, with CSP, since only one script runs (assuming the platform
supports it of course), it's the first, regardless of where it is in the
document and the attributes that you've provided (@async or @defer),
allowing you more flexibility.
Sorry for the confusing title :-)
Le 02/02/2012 16:19, Russell Leggett a écrit :
> I was just contending that CSP should not be required to be able to
> run first.
> As I said above, CSP provides additional protection that I'm happy to
> have, but as this thread is titled, "How to ensure that your script
> runs first in a webpage," that is what I was trying to debate. As long
> as I put my protection script as the first element of the head tag, is
> there any way that a malicious attacker could somehow run a script
> first. I think the answer is no. That is the counter-example I am
> looking for.
I guess I mistitled my post :-)
As you note, CSP is not necessary to ensure running your script first,
but it makes easy to ensure this property, while in some cases, you may
put some script at the end or someone with good intentions can put the
@defer attribute and without thinking about it, you've lost the your
first place.
However, with CSP, since only one script runs (assuming the platform
supports it of course), it's the first, regardless of where it is in the
document and the attributes that you've provided (@async or @defer),
allowing you more flexibility.
Sorry for the confusing title :-)
David
Le 02/02/2012 16:19, Russell Leggett a écrit :
I guess I mistitled my post :-)
As you note, CSP is not necessary to ensure running your script first, but it makes easy to ensure this property, while in some cases, you may put some script at the end or someone with good intentions can put the @defer attribute and without thinking about it, you've lost the your first place. However, with CSP, since only one script runs (assuming the platform supports it of course), it's the first, regardless of where it is in the document and the attributes that you've provided (@async or @defer), allowing you more flexibility.
Sorry for the confusing title :-)