Our (@mikispag @slekies @arturjanc) #CSP research paper (ACM CSS) is public now. It's time to drop whitelists!https://research.google.com/pubs/pub45542.html …
-
-
Is your automatic policy analysis tool available? It'd be great to see that added to
@securityheaders2 replies 0 retweets 1 like -
Replying to @0xdabbad00 @we1x and
Also 8 of the top 15 sites from your paper with end-points that subvert CSP are Google owned. Can u fix?
2 replies 0 retweets 0 likes -
Replying to @0xdabbad00 @we1x and
Short answer: not really. Long answer: the core of the problem isn't in such endpoints, but in CSP.
1 reply 0 retweets 1 like -
Replying to @arturjanc @0xdabbad00 and
So the real way to fix this is to change broken assumptions made by CSP, and switch to nonces/hashes.
1 reply 0 retweets 1 like -
Replying to @arturjanc @0xdabbad00 and
Which is what CSP3 is doing with
#strictdynamic and which is a better solution than fixing whitelists.1 reply 0 retweets 0 likes
Similarly with Angular, the change has to be at the CSP level; other solutions break too many things :(
-
-
Replying to @arturjanc @we1x and
Thanks for the responses. Great paper by the way! Looking forward to the tool release.
0 replies 0 retweets 1 likeThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.