After an outcry against tying a focused anti-XSS syntax to the existing `X-XSS-Protection`, we're back to `ARTUR`: https://mikewest.github.io/artur-yes/
It's boilerplate that everyone will have to include, with negligible security value. But not the end of the world.
-
-
A new simple thing to avoid the mistakes of CSP would be more powerful if it focused on the things we know are important.
-
Which in this case are nonces/hashes for blessing scripts and not getting developers to hunt down eval().
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.