Today. But when it's simpler? What if there's more education? What if there are more tools? Framework integration? It's not static.
-
-
Replying to @randomdross
CSP had +5 years for that. We do not need more complex security mechanisms, but fool-prove ones.
1 reply 0 retweets 2 likes -
Replying to @slekies @randomdross
Not every site uses postMessage, or video, but as part of the platform it lets interesting & valuable things be built.
2 replies 0 retweets 0 likes -
Replying to @hillbrad @randomdross
I am happy to be convinced of the benefits of CSP, but no one is able to show me any real XSSes where it helped.
5 replies 0 retweets 0 likes -
Replying to @slekies
: Hard to prove a negative. *shrug* I’m all for burning CSP down, but let’s replace it with something first.
@hillbrad@randomdross1 reply 0 retweets 1 like -
we still pay for bugs prevented by CSP in VRP, but to my knowledge none has been reported yet.
3 replies 0 retweets 0 likes -
We have data that >70% of XSS would be mitigated by nonce-based CSP. Ignoring this is disingenuous
1 reply 6 retweets 8 likes -
Replying to @arturjanc @mikewest and
70% of Google's current bugs that are considerably different from bugs you see everywhere else.
2 replies 0 retweets 2 likes -
Replying to @slekies @arturjanc and
And only if it can be globally adapted. But CSP is incompatible with many apps e.g AngularJS
1 reply 0 retweets 0 likes -
I find it interesting to see rants against an optional security feature that solves a real problem
2 replies 0 retweets 1 like
It's just as useful to complain about ASLR or other low-level mitigations ;-)
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.