XSS, for the most part, is not caused by distributed code loading in your app. It lurks in a total codebase complexity of modern apps, and a lack of safe defaults. Changing domain names does not solve XSS.
-
-
Replying to @kkotowicz @arturjanc
Cross-site scripting is execution of foreign scripts, inline or from 3rd-party domains.
2 replies 0 retweets 0 likes -
Replying to @johnwilander @arturjanc
That literal interpretation of the name is substantially different from how the websec field uses the term. I discuss and am interested in solving the bug - OWASP A7. For that, the source domain name is irrelevant.
1 reply 0 retweets 1 like -
Replying to @kkotowicz @arturjanc
OK. I want to solve the larger problem of untrustworthy script execution on the web. Cross-site scripting is part of the current web’s design and I want to get rid of that.
1 reply 0 retweets 0 likes -
An interesting observation is that the businesses that run the most 3rd party scripts on the web would never dream of running 3rd party scripts on their own sites and web apps. I wonder why?
2 replies 0 retweets 1 like -
Replying to @johnwilander @arturjanc
Not my field of expertise, but I believe the answer is bespoke threat modelling.
1 reply 0 retweets 0 likes -
Replying to @kkotowicz @arturjanc
Running anyone else’s script on your site is bad for security and privacy. It should have never been allowed. The src attribute of <script> should have been same-origin from the start. Then we would have added cross-origin with mandated SRI and CORS.
2 replies 0 retweets 1 like -
Replying to @johnwilander @kkotowicz
Out of curiosity, do you believe that other applications ecosystems (mobile, desktop) should also prevent developers from using any third-party code?
2 replies 0 retweets 0 likes -
To be fair, web is more nuanced in that mobile/desktop (usually
) doesn’t equate “third-party libraries” to “dynamically fetch and execute code from servers you may have zero control over”.1 reply 0 retweets 2 likes -
This would be a more meaningful distinction if developers re-reviewed third-party libraries every time they rebuild their applications. Otherwise you still entrust the integrity of your application to someone else's code/infrastructure.
1 reply 0 retweets 2 likes
And note that a script fetched from the same origin as the application is no way a guarantee that it's a "first-party" script because, um, server-side proxying? ;-)
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.