No, b/c those are well-aligned. CSP is not, that's why it's cumbersome.
-
-
Replying to @kkotowicz @arturjanc and
CSP is sadly doc-specific, w/ messy syntax and try-to-address-all attitude.
2 replies 0 retweets 0 likes -
Replying to @kkotowicz @sirdarckcat and
'strict-dynamic' kinda fixes 2 of those; https://mikewest.github.io/origin-policy/ remaining one
1 reply 0 retweets 3 likes -
Replying to @arturjanc @kkotowicz and
Also, problems with any given mechanism don't negate the value of mitigations.
1 reply 0 retweets 2 likes -
Replying to @arturjanc @sirdarckcat and
<3 that. Mitigations get a free pass, regardless of design quality & efficacy.
1 reply 0 retweets 0 likes -
The value is roughly: size_of_problem * mitigation_usefulness / adoption_pain
2 replies 0 retweets 0 likes -
Replying to @arturjanc @kkotowicz and
For whitelist-based CSP, the problem (XSS) is big, usefulness ~low, pain ~big
1 reply 0 retweets 0 likes
Replying to @arturjanc @kkotowicz and
But w/ nonces + 's-d' CSP gets more useful: harder to bypass, easier to adopt.
12:57 AM - 7 Sep 2016
0 replies
0 retweets
0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.