Your important data is mostly in apps that don't load untrusted scripts but suffer from XSS. Equating ads w/ XSS is dangerous
Industry definition of XSS is status quo for a decade and never meant "app loads script from a CDN".
-
-
I am thoroughly enjoying this debate.
-
Tweet unavailable
-
Good morning! In terms of aggregate risk on the web, do you agree ad scripts > "regular" XSS?
-
With ad scripts I mean loaded cross-origin under top origin for ad/tracker/analytics purposes.
-
Users of most apps can't be owned by someone hacking Google/FB and replacing "Like"/GA JS.
-
Are you saying GA/FB/Omniture/Doubleclick/… cross-origin scripts are sandboxed?
End of conversation
New conversation -
-
-
The two have very different threat models; conflating them is confusing & actively bad for security.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
That's the point! ;-) We suck at XSS and we need people to understand it, not overload the term.
-
Tweet unavailable
-
This is beyond silly, let's just give it a rest ;-)
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.