The RSA site got pwned due to third-party JS. Dare I say some form of sub-resource integrity might have helped? http://krebsonsecurity.com/2014/05/complexity-as-the-enemy-of-security/ …
-
-
Replying to @BRIAN_____
@BRIAN_____ iframe-based privilege reduction already available on web platform. Is there a form of privilege reduction that will be adopted?1 reply 0 retweets 0 likes -
Replying to @frgx
@frgx for cross-origin scripts? I wish! I argued for this at IEEE CSF 09.@BRIAN_____1 reply 0 retweets 0 likes -
Replying to @BrendanEich
@BrendanEich@BRIAN_____ well es6 realms might make pure script isolation a lot easier?1 reply 0 retweets 0 likes -
Replying to @frgx
@frgx@BRIAN_____ As new opt-in for sth like <script src=... realm=_new> maybe, but ads/analytics want same-realm injection.3 replies 1 retweet 0 likes -
Replying to @BrendanEich
@BrendanEich exactly what i am trying to convince@BRIAN_____1 reply 0 retweets 0 likes -
Replying to @frgx
@frgx New realm is not wanted, though -- ads want to see includer's DOM, e.g. See my next tweet.@BRIAN_____1 reply 0 retweets 0 likes -
Replying to @BrendanEich
@BrendanEich exactly I am also trying to say that new realm/priv-sep unlikely to be adopted by ads/analytics2 replies 0 retweets 0 likes -
Replying to @frgx
@frgx@BrendanEich I disagree. I think they might be willing to give up quite a few privs in exchange for, e.g., fraud/tampering protection.1 reply 0 retweets 0 likes
@frgx @BrendanEich Or, for example, we could think more carefully about encouraging priv separation by tying it to <a ping> or sendBeacon.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.