FWs will want to *work* when developers "turn on" security features. So they will work around them. Simple.
-
-
And if they do they will be wrong, and detrimental to user security. Luckily it's a fixable problem.
1 reply 0 retweets 1 like -
is ng-csp detrimental to user security?
1 reply 0 retweets 0 likes -
Yes, the Angular security model based on bypassing platform security features (via {{ }} and AST*) is wrong
2 replies 0 retweets 1 like -
Replying to @arturjanc @sirdarckcat and
... and is the source of countless vulnerabilities we otherwise wouldn't have. We can't let it happen again.
1 reply 0 retweets 2 likes -
Replying to @arturjanc @sirdarckcat and
Also, saying that hardening APIs is bad because "frameworks can work around it" is incredibly short-sighted.
1 reply 0 retweets 4 likes -
I am not saying that at all. Just saying we need to take this into account to not get it wrong.
1 reply 0 retweets 0 likes -
Replying to @slekies @arturjanc and
I can show you dozens of examples where the current behavior of innerHTML led to hacks in libraries.
3 replies 0 retweets 0 likes -
Replying to @slekies @arturjanc and
we should look at them to understand why these hacks are in place.
1 reply 0 retweets 0 likes -
Replying to @slekies @arturjanc and
then we should choose a hardening way that will not lead to these hacks
1 reply 0 retweets 0 likes
We already know: convenience. But if devs decide security is more important FWs need to respect this choice
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.