The RSA site got pwned due to third-party JS. Dare I say some form of sub-resource integrity might have helped? http://krebsonsecurity.com/2014/05/complexity-as-the-enemy-of-security/ …
-
-
@BRIAN_____ iframe-based privilege reduction already available on web platform. Is there a form of privilege reduction that will be adopted? -
@frgx for cross-origin scripts? I wish! I argued for this at IEEE CSF 09.@BRIAN_____ -
@BrendanEich@BRIAN_____ well es6 realms might make pure script isolation a lot easier? -
@frgx@BRIAN_____ As new opt-in for sth like <script src=... realm=_new> maybe, but ads/analytics want same-realm injection. -
@BrendanEich exactly what i am trying to convince@BRIAN_____ -
@frgx New realm is not wanted, though -- ads want to see includer's DOM, e.g. See my next tweet.@BRIAN_____ -
@BrendanEich exactly I am also trying to say that new realm/priv-sep unlikely to be adopted by ads/analytics -
@frgx@BrendanEich I disagree. I think they might be willing to give up quite a few privs in exchange for, e.g., fraud/tampering protection. - 1 more reply
New conversation -
-
-
@BRIAN_____: What would you like to see? How can we meaningfully reduce the privilege of script running in your origin?@frgx -
-
@BRIAN_____: Put another way, what does GA need to run? And how can we give it just that?@frgx -
-
@BRIAN_____@mikewest When GA wants to update the set of listeners to add (say new spec) how will GA update it across the web? -
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.