if you want to strengthen CSP allow scripts in innerHTML and libraries will not implement insecure code for not surprising devs.
-
-
If libraries hack around hardened, safe APIs against developer intent, the libraries need changing, not the APIs.
1 reply 0 retweets 1 like -
Replying to @arturjanc @mikewest
if the API does not fullfill the needs, devs will hack around it. Also innerHTML is not a safe, hardened API.
1 reply 1 retweet 1 like -
these hacks are also not introduced against the devs intend, but for the opposite.
1 reply 0 retweets 1 like -
If I set a flag to opt my app into a mode that prevents script execution via parser-based APIs, intent is fairly obvious
1 reply 0 retweets 0 likes -
It doesn't get much clearer than a flag that says 'stop-executing-scripts-added-via-parser-based-JS-apis'.
1 reply 0 retweets 0 likes -
Replying to @arturjanc @mikewest
I think
@slekies point is that developers will want both things. Like what happened with ng-csp. It's a valid point IMO1 reply 0 retweets 0 likes -
If convenience damages security and developer explicitly chose security, libraries need to conform. Simple.
1 reply 0 retweets 0 likes -
I was thinking more about the default behavior. But if security is inconvenient, no one will adopt it.
2 replies 0 retweets 0 likes -
Yes, the opt-in part is important. FWIW it's no more inconvenient than rewriting inline scripts for CSP ;-)
1 reply 0 retweets 0 likes
And while this certainly requires work, many large apps have shown it's not that big of a deal.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.