Even with a 100% locked-down CSP (including experimental navigate-to; probably impractical for most sites), there are likely ways to exfiltrate data using endpoints on the same origin (e.g. new user form with payload in name field + attacker-controlled email) 2/3
-
-
Show this thread
-
CSP is already over-hyped as XSS protection (it's a mitigation; real solution is injection-proof templates). It's irresponsible to say it also lets you run untrusted JavaScript safely. You can't. You HAVE to scrutinize your dependencies. 3/3
Show this thread -
Now that it doesn't claim CSP is a solution anymore, the article is a pretty good and entertaining read about the risk of dependencies. https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5 …
to @D__Gilbertson for making the correction.Show this thread
End of conversation
New conversation -
-
-
It's updated to reflect that now.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
I have long advocated that the publication of a web page/site/app requires the author's active interest in curatorship. It all starts with the root page resource, but it's a tangle of dependencies. The author of the root resource must take responsibility and actively curate.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.