Also, fixating on the "CSP" label is silly; the spec includes many things, some useful, some not.
2/ And for many applications focusing on other security work is more valuable.
-
-
3/ But there are apps where XSS = game over and where defense-in-depth is important
-
4/ Those apps are some of the more popular ones: FB, GOOG, Twitter, Github, Dropbox
-
5/ Many of them want CSP and they also want to have more options (suborigins, etc.)
-
6/ Despite CSP's (many) flaws it offers useful features we can't get elsewhere.
-
7/ So while I agree w/ criticism, it's not reasonable to just drop it &
#CSPexit ;) -
8/ Best we can do is work on alternatives (I do) & help improve CSP in the meantime
-
9/ There are "easy" ways to do it that could also make those who dislike CSP happy
-
10/ E.g. opt-in switches to fix dangerous APIs, likely better nonces/hashes, etc.
-
11/ If we treat CSP as anathema then we won't objectively evaluate such features.
-
12/ And that'd be a shame for users who'd otherwise benefit from the changes. [fin]
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.