I don't know the right answer. I do think we need to spend more time thinking out of the CSP box.
-
-
Replying to @sirdarckcat @patricktoomey and
CSP was always a mixed bag to help with various bugs (clickjacking, MIX, XSS). So... which box?
1 reply 0 retweets 0 likes -
Replying to @arturjanc @sirdarckcat and
Splitting into primitives is good, but then security config is scattered all over the app.
1 reply 0 retweets 0 likes -
Replying to @arturjanc @sirdarckcat and
If there are simple, useful primitives we should build them without worrying about header names.
1 reply 0 retweets 0 likes -
Replying to @arturjanc @patricktoomey and
the box is thinking a response header in an HTML document will fix it's XSS.
1 reply 0 retweets 0 likes -
Replying to @sirdarckcat @patricktoomey and
"default-src 'none'", thanks for playing!
1 reply 0 retweets 1 like -
Replying to @arturjanc @patricktoomey and
It's OK, I'm not saying you should stop working on it. Just that the rest should think of new ways
1 reply 0 retweets 0 likes -
Replying to @sirdarckcat @arturjanc and
10 years, and 3 revisions was enough of a chance. Developers didn't like it.
1 reply 0 retweets 0 likes -
Replying to @sirdarckcat @arturjanc and
So it would be nice to see what else we can do now. Taking on the problem from different angles.
1 reply 0 retweets 0 likes -
Replying to @sirdarckcat @arturjanc and
I mean, I guess CSP doesn't need a monopoly on web security to survive.
1 reply 0 retweets 0 likes
Sure. There are many proposals for tackling XSS from different angles (suborigins, isolation)...
-
-
Replying to @arturjanc @sirdarckcat and
... and we'd benefit from having them all implemented. But they're not mutually exclusive w/ CSP.
2 replies 0 retweets 1 like -
Replying to @arturjanc @patricktoomey and
right. I agree. If CSP is useful for a few companies that's cool. Now on to newer greener pastures.
0 replies 0 retweets 0 likes
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.