Redundancsp ˈɹɪdʌndən̩(t)siː-ɛs-piː 1. The phrase "CSP policy"
-
-
The more policies I look at in the wild, the more convinced I am that we need to wrap up CSP3, then start over with something more straightforward, like https://mikewest.github.io/artur-yes/ .
3 replies 0 retweets 6 likes -
Replying to @mikewest
The problem with ARTUR (not to confuse with
@arturjanc) is the implied nonce propagation. Not a good safe choice, given what I know about unintended dynamic script loads in most FWs. Still, start from scratch is good.1 reply 0 retweets 2 likes -
Replying to @kkotowicz @arturjanc
I agree that emulating `'strict-dynamic'` seems like something that should be off by default. That document's not terribly well thought-through, but seems like a good starting point for a reboot.
2 replies 0 retweets 0 likes -
Replying to @mikewest @kkotowicz
I think you're both right ;) In a new mechanism we'd still need switches to enable some unsafe things to aid deployment (eval() / 's-d' trust propagation / hashes for trusted markup), but we could make it simpler to express this.
1 reply 0 retweets 0 likes -
Replying to @arturjanc @mikewest
Leaning on development aid for adoption gains is a path to: Artur: nonce "123"; csp: "X-Content-Security-Policy: script-src unsafe-inline 'nonce-123' script-dynamic unsafe-hashed-attributes unsafe-eval http://foo ..."
1 reply 0 retweets 0 likes
Eh, the main problems with CSP complexity are: 1) Lots of directives which don't do much. 2) All the backcompat 'unsafe-*' cruft to avoid U-A sniffing. A new mechanism solely to control script behavior avoids both even if it's as expressive as current script-src.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.