that innerHTML does not execute script actually causes more CSP bypasses than it prevents XSS.
If I set a flag to opt my app into a mode that prevents script execution via parser-based APIs, intent is fairly obvious
-
-
It doesn't get much clearer than a flag that says 'stop-executing-scripts-added-via-parser-based-JS-apis'.
-
I think
@slekies point is that developers will want both things. Like what happened with ng-csp. It's a valid point IMO -
If convenience damages security and developer explicitly chose security, libraries need to conform. Simple.
-
I was thinking more about the default behavior. But if security is inconvenient, no one will adopt it.
-
FWs will want to *work* when developers "turn on" security features. So they will work around them. Simple.
-
And if they do they will be wrong, and detrimental to user security. Luckily it's a fixable problem.
-
is ng-csp detrimental to user security?
-
Yes, the Angular security model based on bypassing platform security features (via {{ }} and AST*) is wrong
- 15 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.