Blink: Intent to Implement and Ship: 'unsafe-hashed-attributes' in CSP3https://groups.google.com/a/chromium.org/d/msg/blink-dev/bUAhkdsrmqE/nimnFDG3BAAJ …
-
-
Replying to @intenttoship
Another 'unsafe-' keyword :-(. What's the rationale for this? Does this enable use cases that aren't possible with standard CSP & JS?
1 reply 2 retweets 2 likes -
-
This particular unsafe kw enables additional, hard to spot attacks. Reasoning about CSP effectiveness per site gets way more complex.
1 reply 0 retweets 1 like -
Replying to @kkotowicz @slekies and
I agree with y'all. It would let
@arturjanc and others deploy CSP more widely with less effort, but it's a double-edged sword.1 reply 0 retweets 1 like -
Replying to @mikewest @kkotowicz and
The question isn't whether the edges are sharp (they are), but whether there's overriding value in increasing deployment of robust policies.
1 reply 0 retweets 1 like -
Replying to @mikewest @kkotowicz and
It's not at all clear to me what the right answer, is, which is why I'm thrilled that
@andypaicu is taking care of the conversation. :)2 replies 0 retweets 2 likes -
Replying to @mikewest @kkotowicz and
I don't see why it should enable the execution of code like this, not in an attribute: <script>transferAllMyMoney()</script>.
1 reply 0 retweets 1 like -
Replying to @BRIAN_____ @mikewest and
I think once you achieve DOM injection you can do the same thing in an attribute anyway. E.g. <img src='bad' onfail='transferAllMyMoney()'>
3 replies 0 retweets 0 likes -
Replying to @andypaicu @BRIAN_____ and
There are known attacks against the whitelisting scheme proposed. This was tried before, really. See e.g. the paper I linked to before.
1 reply 0 retweets 0 likes
Please file spec bugs if you are aware of attacks that haven't already been covered in past discussions. Thanks!
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.