CSP will only be used by a few, big companies. All devs I talk to do not understand it and thus cannot use it securely.
-
-
It's just as useful to complain about ASLR or other low-level mitigations ;-)
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Cost/benefit ratio is negative. Ok, If CSP is for free, but effort is better spend elsewhere
-
everyone focuses on CSP, no one on addressing the root cause.
-
happy to keep CSP, if we also work on other ways.
-
we do many things against XSS at Google, but almost none in the Web platform except CSP
-
Look at suborigins and isolation proposals ;-) The diff. is that CSP exists and is supported *now*
-
all mitigating the symptoms, not fighting the root causes.
-
There is no secret cabal that kills good ideas to fight XSS root causes. Just not many good ideas.
-
: *cough*csp-cabal@*cough*
@slekies@hillbrad@randomdross - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.