We're all in the hands of ad networks. But let's keep fighting regular XSS and non-PFS. The ad networks and trackers must have full access.https://twitter.com/brendaneich/status/782767374705496064 …
-
-
Replying to @johnwilander
Your important data is mostly in apps that don't load untrusted scripts but suffer from XSS. Equating ads w/ XSS is dangerous
1 reply 0 retweets 0 likes -
A cross-origin script load is nothing like XSS; but explaining this on Twitter is a fool's errand so I won't try
2 replies 0 retweets 0 likes -
Replying to @arturjanc @johnwilander
For data, see how many sensitive apps (banks, etc) load advertiser (not ad network) scripts directly. It's low.
2 replies 0 retweets 0 likes -
Non-sandboxed ads running arbitrary advertiser-controlled scripts are vulns in auth'd apps. Should be fixed.
1 reply 0 retweets 0 likes -
Replying to @arturjanc @johnwilander
But look at big apps, e.g. FB, Twitter, Google or your bank -- they don't allow that. (We'd pay for it via VRP)
1 reply 0 retweets 1 like
Sure. If *you* have important data in apps which load ad scripts same-origin, help them fix it. I do, it's rare.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.