If anything makes sense now, it's obj-src and script-src * + nonces
-
-
Replying to @kkotowicz
interestingly, I had said something similar and iirc
@arturjanc pointed out a bypass due to iframe srcdoc via pure html injection2 replies 0 retweets 0 likes -
Replying to @frgx @arturjanc
then http: https: . It kinda demonstrates why it's way too complex to handle now, and we shouldnt just add more.
1 reply 0 retweets 0 likes -
Replying to @kkotowicz
yeah, I do think killing inline scripts/handlers & eval is the big win from CSP, but
@arturjanc keeps breaking that policy :(1 reply 0 retweets 0 likes -
Replying to @frgx @kkotowicz
of course, jquery will do document.createElement("script") and append to head implicitly for html()/insert()
@arturjanc2 replies 0 retweets 0 likes -
Replying to @frgx @arturjanc
I'd also like to point out $.get() has the same thing - http://blog.kotowicz.net/2016/06/reflections-on-trusting-csp.html …
1 reply 0 retweets 0 likes -
Replying to @kkotowicz @frgx
Sure, but we've been through this - bugs due to these are a tiny fraction of XSS-es, and they're fixable at framework level
3 replies 0 retweets 1 like
If you look at where XSS is most common it's still markup generation (server + client w/ innerHTML and similar APIs)
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.