the issue with CSP wasn't that it couldn't fix stuff,it was that it wasn't usable
-
-
Replying to @sirdarckcat @homakov and
Why making usable something that almost never actually delivers security?
2 replies 0 retweets 0 likes -
Replying to @kkotowicz @homakov and
if a developer spends 30 mins to mitigate 10% of bugs for 40% of his users,
#win1 reply 0 retweets 1 like -
Replying to @sirdarckcat @homakov and
the problem is, he gets an A on Mozilla Observatory and never fixes the XSS.
2 replies 0 retweets 0 likes -
-
Replying to @sirdarckcat @homakov and
it shifts the industry to promoting a bad solution, and away from fixing bugs.
2 replies 0 retweets 1 like -
Replying to @kkotowicz @sirdarckcat and
Just curious: do you have the same view of ASLR and low-level mitigations?
3 replies 0 retweets 1 like -
Replying to @arturjanc @sirdarckcat and
No, b/c those are well-aligned. CSP is not, that's why it's cumbersome.
1 reply 0 retweets 0 likes -
Replying to @kkotowicz @arturjanc and
CSP is sadly doc-specific, w/ messy syntax and try-to-address-all attitude.
2 replies 0 retweets 0 likes -
Replying to @kkotowicz @arturjanc and
All above are fixable, but I think it's better to just start anew.
3 replies 0 retweets 0 likes
"Anew" means several years without UA impls & with no useful model to build on
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.