Great talk by @0x6D6172696F. I agree 99%, for the 1% see comment.https://twitter.com/shafigullin/status/998117117726670849 …
-
-
The vague carrot of “you may not be hacked” plus complexity killed CSP. Next try should apply more stick. The web as a platform for business, communication etc. deserves much better than XSS whack-a-mole because developers want inline scripts. Tragedy of the commons.
-
You're proposing an app store that happens to use http. That's not the web platform.
-
That’s not what I’m proposing at all. I merely propose that websites only run their own code.
-
The web has that feature - it's script-src self (+whitelists for the site/etld+1). It's opt in, and the adoption rate is poor for many reasons. Mandating it seems like a very difficult task, as very few authors would want to have such limitations.
-
That is the tragedy of the commons. Developers want the freedom but not the consequences. Endusers are deceived and pay the price. We can do something about it.
-
XSS, for the most part, is not caused by distributed code loading in your app. It lurks in a total codebase complexity of modern apps, and a lack of safe defaults. Changing domain names does not solve XSS.
-
I believe you’re talking about bugs. I’m talking about what scripts get executed. Only files and only from your domain or from one chosen CDN with your own eTLD+1 scope and checked through SRI. Any other script will not be executed.
-
Yes, koto started the thread talking about XSS which is a class of bugs. You're talking about intentional 3rd party scripts. That's not XSS. Unlikely to go away unless we find a non-advertising model for the web.
- 6 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.