1/ It is okay to discourage use of CSP if a team has no resources to get it right.
-
-
Replying to @arturjanc @sirdarckcat and
2/ And for many applications focusing on other security work is more valuable.
1 reply 0 retweets 0 likes -
Replying to @arturjanc @sirdarckcat and
3/ But there are apps where XSS = game over and where defense-in-depth is important
1 reply 0 retweets 0 likes -
Replying to @arturjanc @sirdarckcat and
4/ Those apps are some of the more popular ones: FB, GOOG, Twitter, Github, Dropbox
1 reply 0 retweets 0 likes -
Replying to @arturjanc @sirdarckcat and
5/ Many of them want CSP and they also want to have more options (suborigins, etc.)
1 reply 0 retweets 0 likes -
Replying to @arturjanc @sirdarckcat and
6/ Despite CSP's (many) flaws it offers useful features we can't get elsewhere.
2 replies 0 retweets 2 likes -
Replying to @arturjanc @sirdarckcat and
7/ So while I agree w/ criticism, it's not reasonable to just drop it &
#CSPexit ;)1 reply 0 retweets 0 likes -
Replying to @arturjanc @sirdarckcat and
8/ Best we can do is work on alternatives (I do) & help improve CSP in the meantime
1 reply 0 retweets 0 likes -
Replying to @arturjanc @sirdarckcat and
9/ There are "easy" ways to do it that could also make those who dislike CSP happy
1 reply 0 retweets 0 likes -
Replying to @arturjanc @sirdarckcat and
10/ E.g. opt-in switches to fix dangerous APIs, likely better nonces/hashes, etc.
1 reply 0 retweets 0 likes
11/ If we treat CSP as anathema then we won't objectively evaluate such features.
-
-
Replying to @arturjanc @sirdarckcat and
12/ And that'd be a shame for users who'd otherwise benefit from the changes. [fin]
0 replies 0 retweets 1 likeThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.