Oh. Huh. So are @kkotowicz, @slekies, and @sirdarckcat happy or sad?
-
-
-
Happy, of course! We've been waiting for this day since
@randomdross left Microsoft. Without him, it became useless. -
Also, Microsoft deserves a lot of credit for being the first to remove the XSS filter.
@googlechrome should do the same next for XSSAuditor. -
Just to be clear, we are happy about the removal because these filters rewrite markup, and can be tricked, etc, right?
-
Perf cost, false positives, false negatives, code complexity, introduction of cross-origin oracles are all real problems. More so for some implementations than others of course.
-
False positives made it annoying. False negatives made it useless. Cross-origin oracles made it dangerous. Web developers assuming it did something and security researchers working on bypasses to show them wrong made it expensive. This isn't a haiku, sorry.
-
Also the uXSS made it funny :-)
-
New conversation -
-
-
Why was the Microsoft one controversial and not the chrome one? Or is the chrome one considered controversial too?
-
Huh, I've didn't know that folks objected to it. Does it cause harm or is it just considered unnecessary?
-
Huh! Thanks! TIL.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.