By that logic every new URL parameter "adds extra attack surface". Collectors must properly escape data, same as other apps.
-
-
Replying to @arturjanc
By that logic all this CSP features "doesn't remove extra attack surface". Apps must properly escape data, same as other apps. ;)
1 reply 0 retweets 1 like -
Replying to @jasvir
We can short-circuit this conversation by agreeing that a CSP violation reporting UI has to use CSP and send reports to itself ;)
1 reply 1 retweet 3 likes -
Replying to @arturjanc @jasvir
But really my point was that if a CSP collector doesn't properly escape data, then it's already boned regardless of `script-sample`.
2 replies 0 retweets 0 likes -
Replying to @arturjanc
Agreed. FWIW inquisitioners put lot of time finding ways to make violations explicable with an illustrative example.
1 reply 0 retweets 0 likes -
Replying to @jasvir @arturjanc
Automating the heuristic for choosing the right illustrative "sample" but is in some sense short & simple is hard but worthwhile.
1 reply 0 retweets 1 like
Interestingly enough *actual* integration with Inquisition might be in the cards as a tool to more easily debug CSP violations :)
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.