After an outcry against tying a focused anti-XSS syntax to the existing `X-XSS-Protection`, we're back to `ARTUR`: https://mikewest.github.io/artur-yes/
-
-
Replying to @mikewest
Having an "unsafe" default seems to defeat the purpose of the naming convention.
2 replies 0 retweets 0 likes -
80% of apps use CSP with 'unsafe-eval' and injections into eval() are more rare than other XSS. It's a convenience thing.
2 replies 1 retweet 2 likes -
Replying to @arturjanc @mikewest
I get the convenience, but unsafe-by-default is how we got into this mess to begin with. :)
2 replies 0 retweets 0 likes -
CSP was safe by default but required arcane spells ('unsafe-eval') to make things work. So few people understood it.
2 replies 0 retweets 0 likes -
As a result of this complexity, almost everyone uses bad CSP policies. The new approach aims for simplicity instead.
1 reply 0 retweets 0 likes -
Replying to @arturjanc
: I don’t know anyone who failed to deploy CSP because of the struggle to add ‘unsafe-eval’.
@ericlaw1 reply 0 retweets 0 likes
Several of our apps spent a lot of time getting rid of 'unsafe-eval' without fixing 'unsafe-inline' first. Complexity bad
-
-
Replying to @arturjanc
: Maybe that’s a failure in messaging. ‘very-unsafe-inline’ next time.
@ericlaw0 replies 0 retweets 1 likeThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.