Is CSP meaningful if not served over HTTPS ? cc @BRIAN_____
@dveditz @imelven @metromoxie Note in particular that SRI protects CSP when specified in <meta> (only).
-
-
@dveditz@imelven@metromoxie My proof that CSP nonce is not secure is easily adapted to a passive (SRI-limited) network attack + XSS.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.