Is CSP meaningful if not served over HTTPS ? cc @BRIAN_____
-
-
Replying to @imelven
@imelven@BRIAN_____ how many xss attacks (reflected or stored) involve network control? I'd guess none.1 reply 0 retweets 2 likes -
Replying to @dveditz
@dveditz@imelven@metromoxie Note in particular that SRI protects CSP when specified in <meta> (only).1 reply 0 retweets 0 likes
@dveditz @imelven @metromoxie My proof that CSP nonce is not secure is easily adapted to a passive (SRI-limited) network attack + XSS.
11:00 PM - 7 Nov 2014
0 replies
0 retweets
1 like
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.