Can we make CSP simpler? Or "fixing" it will just make it even worse and more complex. Can we start from scratch? Consider it sunken costs?
https://twitter.com/frgx/status/827999372293988352 …
CSP was always a mixed bag to help with various bugs (clickjacking, MIX, XSS). So... which box?
-
-
Splitting into primitives is good, but then security config is scattered all over the app.
-
If there are simple, useful primitives we should build them without worrying about header names.
-
the box is thinking a response header in an HTML document will fix it's XSS.
-
"default-src 'none'", thanks for playing!
-
It's OK, I'm not saying you should stop working on it. Just that the rest should think of new ways
-
10 years, and 3 revisions was enough of a chance. Developers didn't like it.
-
So it would be nice to see what else we can do now. Taking on the problem from different angles.
-
I mean, I guess CSP doesn't need a monopoly on web security to survive.
- 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.