We're all in the hands of ad networks. But let's keep fighting regular XSS and non-PFS. The ad networks and trackers must have full access.https://twitter.com/brendaneich/status/782767374705496064 …
For data, see how many sensitive apps (banks, etc) load advertiser (not ad network) scripts directly. It's low.
-
-
Non-sandboxed ads running arbitrary advertiser-controlled scripts are vulns in auth'd apps. Should be fixed.
-
But look at big apps, e.g. FB, Twitter, Google or your bank -- they don't allow that. (We'd pay for it via VRP)
-
Tweet unavailable
-
Sure. If *you* have important data in apps which load ad scripts same-origin, help them fix it. I do, it's rare.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.