By that logic all this CSP features "doesn't remove extra attack surface". Apps must properly escape data, same as other apps. ;)
-
-
-
We can short-circuit this conversation by agreeing that a CSP violation reporting UI has to use CSP and send reports to itself ;)
-
But really my point was that if a CSP collector doesn't properly escape data, then it's already boned regardless of `script-sample`.
-
Tweet unavailable
-
: I'm pretty sure CSP bypasses are the real fake news.
@arturjanc@jasvir -
Tweet unavailable
-
: Repeal and replace with something untested and unexplained. Like https://mikewest.github.io/artur-yes/ .
@arturjanc@jasvir -
I promised myself I wouldn't tweet about politics, and you guys are making it so hard...
- 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.