The vague carrot of “you may not be hacked” plus complexity killed CSP. Next try should apply more stick. The web as a platform for business, communication etc. deserves much better than XSS whack-a-mole because developers want inline scripts. Tragedy of the commons.
-
-
Replying to @johnwilander @arturjanc
You're proposing an app store that happens to use http. That's not the web platform.
1 reply 0 retweets 3 likes -
Replying to @kkotowicz @arturjanc
That’s not what I’m proposing at all. I merely propose that websites only run their own code.
1 reply 0 retweets 1 like -
Replying to @johnwilander @arturjanc
The web has that feature - it's script-src self (+whitelists for the site/etld+1). It's opt in, and the adoption rate is poor for many reasons. Mandating it seems like a very difficult task, as very few authors would want to have such limitations.
1 reply 0 retweets 2 likes -
Replying to @kkotowicz @arturjanc
That is the tragedy of the commons. Developers want the freedom but not the consequences. Endusers are deceived and pay the price. We can do something about it.
2 replies 0 retweets 1 like -
Replying to @johnwilander @arturjanc
XSS, for the most part, is not caused by distributed code loading in your app. It lurks in a total codebase complexity of modern apps, and a lack of safe defaults. Changing domain names does not solve XSS.
3 replies 3 retweets 6 likes -
Replying to @kkotowicz @arturjanc
Cross-site scripting is execution of foreign scripts, inline or from 3rd-party domains.
2 replies 0 retweets 0 likes -
Replying to @johnwilander @arturjanc
That literal interpretation of the name is substantially different from how the websec field uses the term. I discuss and am interested in solving the bug - OWASP A7. For that, the source domain name is irrelevant.
1 reply 0 retweets 1 like -
Replying to @kkotowicz @arturjanc
OK. I want to solve the larger problem of untrustworthy script execution on the web. Cross-site scripting is part of the current web’s design and I want to get rid of that.
1 reply 0 retweets 0 likes -
An interesting observation is that the businesses that run the most 3rd party scripts on the web would never dream of running 3rd party scripts on their own sites and web apps. I wonder why?
2 replies 0 retweets 1 like
Trust isn't bi-directional.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.