I'm talking third-party scripts. Not first party.
-
-
Replying to @johnwilander @arturjanc and
We can agree to disagree. I think full powered third-party scripts are bad for web security.
2 replies 0 retweets 1 like -
OK, but when you say "bad" it helps to point to past compromises. "Regular" XSS caused many
1 reply 0 retweets 0 likes -
Replying to @arturjanc @johnwilander and
Conversely, I haven't seen any due to GA or Like button JS being subverted just yet.
2 replies 0 retweets 0 likes -
Replying to @arturjanc @johnwilander and
But that's exactly why we have SRI and apps that worry about this should definitely use it.
1 reply 0 retweets 0 likes -
We need SRI + no dynamic loading.
1 reply 0 retweets 0 likes -
SRI is enough if you trust the place you're loading JS from. Otherwise, don't load the JS.
2 replies 0 retweets 0 likes -
How about GA demanding SRI?
1 reply 0 retweets 0 likes -
Replying to @johnwilander @arturjanc and
Or maybe scripts can't inject script tags with hash attributes?
1 reply 0 retweets 0 likes -
Replying to @johnwilander @arturjanc and
If so we should come up with a way for script sources to request then demand SRI in two steps.
1 reply 0 retweets 0 likes
What would this protect against? An evil JS provider could just not opt into any checks.
-
-
But providers with great power could lower the aggregate risk on the web.
1 reply 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.