the problem is, he gets an A on Mozilla Observatory and never fixes the XSS.
-
-
-
Replying to @sirdarckcat @homakov and
it shifts the industry to promoting a bad solution, and away from fixing bugs.
2 replies 0 retweets 1 like -
Replying to @kkotowicz @sirdarckcat and
Just curious: do you have the same view of ASLR and low-level mitigations?
3 replies 0 retweets 1 like -
Replying to @arturjanc @sirdarckcat and
No, b/c those are well-aligned. CSP is not, that's why it's cumbersome.
1 reply 0 retweets 0 likes -
Replying to @kkotowicz @arturjanc and
CSP is sadly doc-specific, w/ messy syntax and try-to-address-all attitude.
2 replies 0 retweets 0 likes -
Replying to @kkotowicz @arturjanc and
All above are fixable, but I think it's better to just start anew.
3 replies 0 retweets 0 likes -
Replying to @kkotowicz @arturjanc and
Unless we want to do it UK style we should define the new approach before
#CSPexit1 reply 0 retweets 1 like -
Replying to @johnwilander @kkotowicz and
If nonces are the way to go it's easy to build a new mechanism to enforce them
1 reply 0 retweets 0 likes -
Replying to @arturjanc @johnwilander and
And the only way to see if they really work is to use them with current CSP
2 replies 0 retweets 0 likes
Developers won't spend time on such stuff unless they get value out of it *now*
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.