The advantage of privileges for different JS sources
is that you can centralize all your manipulation
of sensible data or security relevant features.
Think about the privileged code as an interface for
unprivileged code to access security relevant data
or features, but only those the privileged code allows
them to access and only in such a way that
the privileged code has control about what happens.
Imagine for example that a web page has an error reporting system.
If unprivileged code would reach an error that
the user should know about, like invalid input,
the unprivileged code,
that couldn’t access the DOM, call alert() or
in anyway directly communicate with the user,
would call a function inside the privileged
code called something like
And now instead of directly manipulating the DOM,
the unprivileged code, that could be XSS,
has alerted the user, but not actually manipulated
the DOM in a custom way, deferring to an error
code to display a predetermined message without
any risk of XSS.
This couldn’t just be used for error messaging of course,
interaction with a server or the use of some confidential
data should also be tightly controlled and more importantly
shouldn’t be accessed directly by inline JS, that could
And, as I think of them, privileges shall prevent XSS
injected in the page from accessing confidential data
or interacting with the user, not a lot else.
These problems many people agree to be
important factors for why XSS is still so important,
although we know about it for more than a decade.
- difficult to spot
- difficult to prevent
- devastating, even if only one XSS exists in the whole page
I think to disable JS locally may address the second point,
while privilege levels for JS address the last one.
It could reduce the harm a single unmasked line of user input
inserted into the page at an unprivileged point could do.
And I think that inline JS, if privileges are enabled, should be unprivileged by default, always referring to a privileged
sources that can’t be manipulated by the user,
for handling any of the security related data
And CSP is thus far not enough, in that it
has not enough options and thus usage
for large projects, because it doesn’t give them
the options privileges could.