If anything makes sense now, it's obj-src and script-src * + nonces
-
-
Replying to @kkotowicz
interestingly, I had said something similar and iirc
@arturjanc pointed out a bypass due to iframe srcdoc via pure html injection2 replies 0 retweets 0 likes -
Replying to @frgx @arturjanc
then http: https: . It kinda demonstrates why it's way too complex to handle now, and we shouldnt just add more.
1 reply 0 retweets 0 likes -
Replying to @kkotowicz
yeah, I do think killing inline scripts/handlers & eval is the big win from CSP, but
@arturjanc keeps breaking that policy :(1 reply 0 retweets 0 likes -
Replying to @frgx @kkotowicz
of course, jquery will do document.createElement("script") and append to head implicitly for html()/insert()
@arturjanc2 replies 0 retweets 0 likes -
Replying to @frgx @arturjanc
I'd also like to point out $.get() has the same thing - http://blog.kotowicz.net/2016/06/reflections-on-trusting-csp.html …
1 reply 0 retweets 0 likes -
Replying to @kkotowicz @frgx
Sure, but we've been through this - bugs due to these are a tiny fraction of XSS-es, and they're fixable at framework level
3 replies 0 retweets 1 like -
Replying to @arturjanc @frgx
jQuery.html(inj) is a tiny fraction? I find it hard to believe on the open web, ask pentesters. I've seen many myself.
1 reply 0 retweets 0 likes -
Replying to @kkotowicz @frgx
You realize that this is fixable, right? If you care about XSS enough to adopt CSP w/ nonces you can use a hardened jQuery
2 replies 0 retweets 2 likes -
Replying to @arturjanc @frgx
You realize a polyfill for nonce propagation is easier than upgrading jQuery?
1 reply 0 retweets 0 likes
You can use a polyfill instead of 's-d' if you want to serve the JS on all pages and also do UA sniffing. Many people can't
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.