It's a very long race, and we're not at the finish line yet. If CSP paints itself into a corner then you will be proven right.
-
-
Replying to @randomdross
CSP will only be used by a few, big companies. All devs I talk to do not understand it and thus cannot use it securely.
1 reply 0 retweets 0 likes -
Replying to @slekies
Today. But when it's simpler? What if there's more education? What if there are more tools? Framework integration? It's not static.
1 reply 0 retweets 0 likes -
Replying to @randomdross
CSP had +5 years for that. We do not need more complex security mechanisms, but fool-prove ones.
1 reply 0 retweets 2 likes -
Replying to @slekies @randomdross
Not every site uses postMessage, or video, but as part of the platform it lets interesting & valuable things be built.
2 replies 0 retweets 0 likes -
Replying to @hillbrad @randomdross
I am happy to be convinced of the benefits of CSP, but no one is able to show me any real XSSes where it helped.
5 replies 0 retweets 0 likes -
Replying to @slekies
: Hard to prove a negative. *shrug* I’m all for burning CSP down, but let’s replace it with something first.
@hillbrad@randomdross1 reply 0 retweets 1 like -
we still pay for bugs prevented by CSP in VRP, but to my knowledge none has been reported yet.
3 replies 0 retweets 0 likes -
We have data that >70% of XSS would be mitigated by nonce-based CSP. Ignoring this is disingenuous
1 reply 6 retweets 8 likes -
Replying to @arturjanc @mikewest and
70% of Google's current bugs that are considerably different from bugs you see everywhere else.
2 replies 0 retweets 2 likes
Bugs from hundreds of applications on many stacks. If you have better data, please share it.
-
-
Replying to @arturjanc @mikewest and
I have better data from http://goo.gl/Mbr0Wq . But only on DOM-XSS and it is out-dated
1 reply 1 retweet 1 like -
Replying to @slekies @arturjanc and
it would be possible to collect it again, but it is a lot of effort.
0 replies 0 retweets 0 likes
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.