these hacks are also not introduced against the devs intend, but for the opposite.
-
-
Also, saying that hardening APIs is bad because "frameworks can work around it" is incredibly short-sighted.
-
I am not saying that at all. Just saying we need to take this into account to not get it wrong.
-
I can show you dozens of examples where the current behavior of innerHTML led to hacks in libraries.
-
every single one is a CSP bypass btw
-
Not really; it's incompatible with one particular way to do CSP ('strict-dynamic') and is easy to fix.
-
not only strict-dynamic, also unsafe-eval, which is required for most frameworks.
-
and it is not easy to fix ;-).
-
You're right, it isn't, there are no easy solutions to complex problems. But hardened core APIs are a start.
- 6 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.