Our (@mikispag @slekies @arturjanc) #CSP research paper (ACM CSS) is public now. It's time to drop whitelists!https://research.google.com/pubs/pub45542.html …
-
-
So the real way to fix this is to change broken assumptions made by CSP, and switch to nonces/hashes.
-
Which is what CSP3 is doing with
#strictdynamic and which is a better solution than fixing whitelists. -
Similarly with Angular, the change has to be at the CSP level; other solutions break too many things :(
-
Thanks for the responses. Great paper by the way! Looking forward to the tool release.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.