Can we talk about strict-dynamic and nonce in #CSP, when we still have to have unsafe-eval to use libraries?
-
-
Replying to @KseniaDmitrieva
unsafe-eval permits XSS via eval(), but doesn't reduce the security of CSP as much as an unsafe origin in the whitelist.
1 reply 1 retweet 1 like
Replying to @arturjanc @KseniaDmitrieva
So in our applications we're not worried about 'unsafe-eval' because nonces + 'strict-dynamic' project from most XSS-es.
2:16 PM - 25 Oct 2016
0 replies
0 retweets
3 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.