We're all in the hands of ad networks. But let's keep fighting regular XSS and non-PFS. The ad networks and trackers must have full access.https://twitter.com/brendaneich/status/782767374705496064 …
-
-
I think that the problem is that the industry definition is wrong, no? No real fix for that.
-
Industry definition of XSS is status quo for a decade and never meant "app loads script from a CDN".
-
Tweet unavailable
-
I am thoroughly enjoying this debate.
-
Tweet unavailable
-
Good morning! In terms of aggregate risk on the web, do you agree ad scripts > "regular" XSS?
-
With ad scripts I mean loaded cross-origin under top origin for ad/tracker/analytics purposes.
-
Users of most apps can't be owned by someone hacking Google/FB and replacing "Like"/GA JS.
- 1 more reply
New conversation -
-
-
In your pentests, do you report loading scripts from another origin as "XSS"? ;-)
-
Tweet unavailable
-
Site owner owns the risk. It is not introduced by the attacker.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.