what would be your preference? If you had unlimited resources.
If there are simple, useful primitives we should build them without worrying about header names.
-
-
the box is thinking a response header in an HTML document will fix it's XSS.
-
"default-src 'none'", thanks for playing!
-
It's OK, I'm not saying you should stop working on it. Just that the rest should think of new ways
-
10 years, and 3 revisions was enough of a chance. Developers didn't like it.
-
So it would be nice to see what else we can do now. Taking on the problem from different angles.
-
I mean, I guess CSP doesn't need a monopoly on web security to survive.
-
Sure. There are many proposals for tackling XSS from different angles (suborigins, isolation)...
-
... and we'd benefit from having them all implemented. But they're not mutually exclusive w/ CSP.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.