Redundancsp ˈɹɪdʌndən̩(t)siː-ɛs-piː 1. The phrase "CSP policy"
-
-
The more policies I look at in the wild, the more convinced I am that we need to wrap up CSP3, then start over with something more straightforward, like https://mikewest.github.io/artur-yes/ .
3 replies 0 retweets 6 likes -
Replying to @mikewest
The problem with ARTUR (not to confuse with
@arturjanc) is the implied nonce propagation. Not a good safe choice, given what I know about unintended dynamic script loads in most FWs. Still, start from scratch is good.1 reply 0 retweets 2 likes -
Replying to @kkotowicz @arturjanc
I agree that emulating `'strict-dynamic'` seems like something that should be off by default. That document's not terribly well thought-through, but seems like a good starting point for a reboot.
2 replies 0 retweets 0 likes -
Replying to @mikewest @arturjanc
Totally. A reboot will have an adoption disadvantage, the longer works on the legacy solution take. If we already know how to design a better thing, why spending time on a known-bad?
1 reply 0 retweets 0 likes -
Replying to @kkotowicz @mikewest
To borrow a page from IETF's book: "We believe in rough consensus and running code." New more elegant mechanisms are great, but they take time and don't always end up shipping. However unsatisfying, ugly existing mechanisms which do the job... do the job.
1 reply 0 retweets 0 likes -
Replying to @arturjanc @mikewest
"Which do the job"... of confusing devs and security team mostly, as exemplified by pentest results, numerous papers, and my humble experience. In practice, I'm afraid CSP doesn't work (for XSS) nearly as well as it's been expected of it.
1 reply 0 retweets 0 likes -
Replying to @kkotowicz @mikewest
Absolutely no argument from me regarding developer confusion, etc. I mean "do the job" in the narrow sense of already supporting those restrictions that we'd want to port to the New Thing (e.g. requiring nonces/hashes to execute scripts).
1 reply 0 retweets 0 likes -
Replying to @arturjanc @mikewest
Understood. But there is already full support for those in major UAs. Why keep fiddling with the CSP still? Isn't it better to just move on and work on the reboot?
2 replies 0 retweets 1 like
I think this is exactly what @mikewest is suggesting :) The main thing is that "fiddling" with CSP3 results in features which help solve the problems mentioned by @0x6D6172696F (e.g. hashes for event handlers instead of 'unsafe-inline') *and* have a chance of shipping this year.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.