We have data that >70% of XSS would be mitigated by nonce-based CSP. Ignoring this is disingenuous
-
-
Replying to @arturjanc @mikewest and
70% of Google's current bugs that are considerably different from bugs you see everywhere else.
2 replies 0 retweets 2 likes -
Replying to @slekies @arturjanc and
And only if it can be globally adapted. But CSP is incompatible with many apps e.g AngularJS
1 reply 0 retweets 0 likes -
I find it interesting to see rants against an optional security feature that solves a real problem
2 replies 0 retweets 1 like -
Replying to @arturjanc @mikewest and
Cost/benefit ratio is negative. Ok, If CSP is for free, but effort is better spend elsewhere
1 reply 0 retweets 0 likes -
Replying to @slekies @arturjanc and
everyone focuses on CSP, no one on addressing the root cause.
2 replies 0 retweets 0 likes -
Replying to @slekies @arturjanc and
happy to keep CSP, if we also work on other ways.
2 replies 0 retweets 2 likes -
Replying to @slekies @arturjanc and
we do many things against XSS at Google, but almost none in the Web platform except CSP
2 replies 0 retweets 0 likes -
Look at suborigins and isolation proposals ;-) The diff. is that CSP exists and is supported *now*
1 reply 0 retweets 1 like -
Replying to @arturjanc @mikewest and
all mitigating the symptoms, not fighting the root causes.
2 replies 0 retweets 0 likes
There is no secret cabal that kills good ideas to fight XSS root causes. Just not many good ideas.
-
-
Replying to @arturjanc
: *cough*csp-cabal@*cough*
@slekies@hillbrad@randomdross1 reply 0 retweets 3 likes -
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.