An entertaining article about the dangers of untrusted JS dependencies. But it gets one crucial thing wrong: CSP is absolutely not capable of preventing data exfiltration once the attacker's script runs in the context of your app https://lists.w3.org/Archives/Public/public-webappsec/2016Sep/0012.html … http://www.cse.chalmers.se/~andrei/asiaccs16.pdf …https://twitter.com/D__Gilbertson/status/949563399272361984 …
-
Show this thread
So: read it and keep npm dependencies in mind when considering your webapp's threat model, but don't drop everything to add CSP as a protection against this problem. It unfortunately won't help.
0 replies
1 retweet
4 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.