By that logic every new URL parameter "adds extra attack surface". Collectors must properly escape data, same as other apps.
But really my point was that if a CSP collector doesn't properly escape data, then it's already boned regardless of `script-sample`.
-
-
: I'm pretty sure CSP bypasses are the real fake news.
@arturjanc@jasvir -
Tweet unavailable
-
: Repeal and replace with something untested and unexplained. Like https://mikewest.github.io/artur-yes/ .
@arturjanc@jasvir -
I promised myself I wouldn't tweet about politics, and you guys are making it so hard...
-
what you think our site is so innocent? You think we haven't used unsafe-eval, Joe so you know.
End of conversation
New conversation -
-
-
Agreed. FWIW inquisitioners put lot of time finding ways to make violations explicable with an illustrative example.
-
Automating the heuristic for choosing the right illustrative "sample" but is in some sense short & simple is hard but worthwhile.
-
Interestingly enough *actual* integration with Inquisition might be in the cards as a tool to more easily debug CSP violations :)
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.