@filedescriptor: How do you feel about https://codereview.chromium.org/2260103003 as a mitigation against http://blog.innerht.ml/csp-2015/#danglingmarkupinjection …? /cc @arturjanc @lcamtuf
-
-
Whoa I didn't know there was a discussion of it. The mitigation looks OK but not sure potential breakage
2 replies 0 retweets 0 likes -
FYI https://github.com/w3c/webappsec-csp/issues/98 … has some more context and discussions about alternatives.
2 replies 0 retweets 0 likes -
Replying to @arturjanc @filedescriptor and
For breakage, my hope/uneducated guess is that it shouldn't be terrible because you need: 1)
2 replies 0 retweets 0 likes
(Twitter is hard). You need: 1) A legitimate <script> element with "<script" in one of its attributes; 2) That script must have a CSP nonce.
7:00 AM - 31 Aug 2016
0 replies
1 retweet
0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.