We're all in the hands of ad networks. But let's keep fighting regular XSS and non-PFS. The ad networks and trackers must have full access.https://twitter.com/brendaneich/status/782767374705496064 …
A cross-origin script load is nothing like XSS; but explaining this on Twitter is a fool's errand so I won't try
-
-
Are you trying to get me to explain XSS to a leading researcher of XSS? ;-) I'm too old to be trolled like that!
-
Tweet unavailable
-
"XSS enables attackers to inject client-side scripts into web pages viewed by other users." Meh, boring topic.
-
Tweet unavailable
-
In this definition the web is built on "XSS" and the term becomes useless. Let's stick to industry definition :)
-
I think that the problem is that the industry definition is wrong, no? No real fix for that.
-
Industry definition of XSS is status quo for a decade and never meant "app loads script from a CDN".
- 7 more replies
New conversation -
-
-
For data, see how many sensitive apps (banks, etc) load advertiser (not ad network) scripts directly. It's low.
-
Tweet unavailable
-
Non-sandboxed ads running arbitrary advertiser-controlled scripts are vulns in auth'd apps. Should be fixed.
-
But look at big apps, e.g. FB, Twitter, Google or your bank -- they don't allow that. (We'd pay for it via VRP)
-
Tweet unavailable
-
Sure. If *you* have important data in apps which load ad scripts same-origin, help them fix it. I do, it's rare.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.