Our (@we1x @slekies @arturjanc) #CSP paper is out. 95% bypassable, whitelisting is doomed, #strictdynamic helps.https://research.google.com/pubs/pub45542.html …
Note that CSP mode isn't an obstacle for an attacker because the XSS can inject a new ng-app w/o ng-csp.
-
-
that would not work at all if CSP is actually enabled.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.