because you're forever bound to the syntax & semantics because of deployments
-
-
Replying to @kkotowicz @randomdross and
that are messy, provide little value (eg whitelists), but CSP gives you A+ on some metric
1 reply 0 retweets 1 like -
Replying to @kkotowicz @slekies and
I just don't see a realistic endgame where CSP get checkmate'd like the Angular sandbox.
2 replies 0 retweets 0 likes -
Replying to @randomdross @kkotowicz and
Individual bypass != inherently bypass-able. Get to inherently bypass-able and it's game over.
2 replies 0 retweets 0 likes -
Replying to @randomdross @kkotowicz and
domain-based whitelists are inherently bypass-able.
1 reply 0 retweets 0 likes -
Replying to @slekies @randomdross and
nonces not so much. But achieved by giving up on a large portion of attacks >=30%
1 reply 0 retweets 0 likes -
Replying to @slekies @randomdross and
and 30% is the lower bound, under perfect adoption and without mistakes.
1 reply 0 retweets 0 likes -
Replying to @slekies @kkotowicz and
Ranting against a defense-in-depth mechanism because it doesn't solve *all* problems... Really? ;-)
1 reply 0 retweets 0 likes -
Replying to @arturjanc @kkotowicz and
Cost/benefit ratio is currently negative and no one is able to argue against this.
1 reply 0 retweets 0 likes -
Replying to @slekies @arturjanc and
show me that this is wrong and I am happy to reconsider.
1 reply 0 retweets 0 likes
Easy, completed adoption in products where all other anti-XSS measures failed + ~70% mitigation rate
-
-
Replying to @arturjanc @slekies and
You ignore the time spent on developing this + assume 0 adoption costs. ROI is negative so far
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.