1/ It is okay to discourage use of CSP if a team has no resources to get it right.
-
-
Replying to @arturjanc @sirdarckcat and
2/ And for many applications focusing on other security work is more valuable.
1 reply 0 retweets 0 likes -
Replying to @arturjanc @sirdarckcat and
3/ But there are apps where XSS = game over and where defense-in-depth is important
1 reply 0 retweets 0 likes -
Replying to @arturjanc @sirdarckcat and
4/ Those apps are some of the more popular ones: FB, GOOG, Twitter, Github, Dropbox
1 reply 0 retweets 0 likes -
Replying to @arturjanc @sirdarckcat and
5/ Many of them want CSP and they also want to have more options (suborigins, etc.)
1 reply 0 retweets 0 likes -
Replying to @arturjanc @sirdarckcat and
6/ Despite CSP's (many) flaws it offers useful features we can't get elsewhere.
2 replies 0 retweets 2 likes -
Replying to @arturjanc @sirdarckcat and
eh. CSP is a last-ditch safety net, needed b/c of lack of good framework
2 replies 0 retweets 1 like -
Replying to @tehjh @sirdarckcat and
Sure. But stuff like frame-ancestors, UIR or BAMC can't be in frameworks.
2 replies 0 retweets 0 likes -
Replying to @arturjanc @sirdarckcat and
why can't UIR or BAMC be implemented by a framework?
1 reply 0 retweets 0 likes -
Replying to @tehjh @sirdarckcat and
The UA has more context, e.g. can prevent mixed content after redirects.
1 reply 0 retweets 0 likes
FWIW I fully agree that no bugs >> mitigations, but we're far from "no bugs"
-
-
Replying to @arturjanc @tehjh and
yes, that's probably true. I wish we had more good mitigations.
0 replies 0 retweets 1 likeThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.