Also, much of my job is to trim CSP down to only the useful bits and adopt these =)
-
-
7/ So while I agree w/ criticism, it's not reasonable to just drop it &
#CSPexit ;) -
8/ Best we can do is work on alternatives (I do) & help improve CSP in the meantime
-
9/ There are "easy" ways to do it that could also make those who dislike CSP happy
-
10/ E.g. opt-in switches to fix dangerous APIs, likely better nonces/hashes, etc.
-
11/ If we treat CSP as anathema then we won't objectively evaluate such features.
-
12/ And that'd be a shame for users who'd otherwise benefit from the changes. [fin]
End of conversation
New conversation -
-
-
eh. CSP is a last-ditch safety net, needed b/c of lack of good framework
-
Sure. But stuff like frame-ancestors, UIR or BAMC can't be in frameworks.
-
why can't UIR or BAMC be implemented by a framework?
-
The UA has more context, e.g. can prevent mixed content after redirects.
-
FWIW I fully agree that no bugs >> mitigations, but we're far from "no bugs"
-
yes, that's probably true. I wish we had more good mitigations.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.