every single one is a CSP bypass btw
-
-
Not really; it's incompatible with one particular way to do CSP ('strict-dynamic') and is easy to fix.
1 reply 0 retweets 0 likes -
not only strict-dynamic, also unsafe-eval, which is required for most frameworks.
1 reply 0 retweets 0 likes -
-
You're right, it isn't, there are no easy solutions to complex problems. But hardened core APIs are a start.
1 reply 0 retweets 0 likes -
yes, definetly. I am the last one to argue against hardening. Just brought up one important issue.
1 reply 0 retweets 0 likes -
Our disagreement boils down to the question of whether we can get FWs to play nice with new, hardened APIs.
2 replies 0 retweets 0 likes -
Replying to @arturjanc @slekies and
If we can't then we can never put faith in secure APIs for the web b/c they can always be subverted by FWs.
1 reply 0 retweets 0 likes -
again:I am not saying we can't do this.I am not at all oposing the idea. Just saying we need to be careful
1 reply 0 retweets 0 likes -
Violent agreement, then? :) FWIW we've done a bad job at secure-by-default JS FWs and we should get better.
1 reply 0 retweets 0 likes
I just wouldn't like the past crappiness of this area to hold us back from making useful platform changes.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.