I so wish this one sparrow would a summer make :) #xsshttps://twitter.com/garethheyes/status/1022392850183536640 …
-
Show this thread
-
Sad that, in the announcement they advertise that CSP offers an XSS protection. It's very much not one, even according to the spec.pic.twitter.com/5iIw82Gmrs
2 replies 3 retweets 4 likesShow this thread -
Replying to @kkotowicz
IIRC, Mozilla developed CSP as a better alternative to implementing an XSS filter; it was intended to be a security mechanism more effective than XSS filters. The first line of defense is to prevent injection before it happens and that hasn't changed.
2 replies 0 retweets 2 likes -
Replying to @BRIAN_____
Fully agreed, but what lots of developers believe in, is that CSP is a magic header that stops XSS, and such language ("our customers remain protected thanks to [..] CSP") only makes it worse.
1 reply 0 retweets 1 like -
Replying to @kkotowicz
I'm pretty sure developers know CSP is a magic header that breaks your website. The biggest problem with CSP is that it was enforced by web browsers, instead of by templating engines. In some sense it was browser developers pulling a "We must do something; this is something..."
1 reply 0 retweets 1 like -
Replying to @BRIAN_____ @kkotowicz
However, around the time of CSP 2 browsers also needed a CSP-like mechanism for other reasons (app sandboxing in Firefox; extension sandboxing in Chrome) and also there was somewhat of a sunk-cost fallacy that's lasted until recently (IIUC) Google told Google it doesn't want CSP.
1 reply 0 retweets 1 like -
Replying to @BRIAN_____
What I'm getting from it is that touting CSP is passé. I'm indifferent to that, what bugs me is that selling CSP as an XSS protection mechanism is not only technically wrong, it's harmful to the ecosystem & it makes my job explaining XSS to devs harder.
1 reply 0 retweets 1 like -
Replying to @kkotowicz
Sure. I'm trying to explain why they say that: CSP is "what browsers are doing about XSS." It's too hard to say "We tried to do something about XSS but it didn't work so we're not going to do anything now."
2 replies 0 retweets 2 likes -
Replying to @BRIAN_____
I'm working on something that attempts to fit more into how js apps are written now. More configurable, more local, but auditable. Bit it still is a browser feature, not fully userland. Curious what's your take onhttps://github.com/WICG/trusted-types …
2 replies 1 retweet 0 likes
It would be useful to see it broken down into "this is the absolute minimum that the browser would have to implement to allow us to implement the rest as a JS library" + the rest. I agree that CSP makes less and less sense the more dynamic the content of the page is.
-
-
Replying to @BRIAN_____
Unspoofable types have to be provided by the platform, and as such, all of the API that produces them (createPolicy). Hooking into sinks and triggering CSP violations can be userland, but it's cumbersome. Plus - that part is easy to impl in your IDL
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.