I was thinking more about the default behavior. But if security is inconvenient, no one will adopt it.
Not really; it's incompatible with one particular way to do CSP ('strict-dynamic') and is easy to fix.
-
-
not only strict-dynamic, also unsafe-eval, which is required for most frameworks.
-
and it is not easy to fix ;-).
-
You're right, it isn't, there are no easy solutions to complex problems. But hardened core APIs are a start.
-
yes, definetly. I am the last one to argue against hardening. Just brought up one important issue.
-
Our disagreement boils down to the question of whether we can get FWs to play nice with new, hardened APIs.
-
If we can't then we can never put faith in secure APIs for the web b/c they can always be subverted by FWs.
-
again:I am not saying we can't do this.I am not at all oposing the idea. Just saying we need to be careful
-
Violent agreement, then? :) FWIW we've done a bad job at secure-by-default JS FWs and we should get better.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.