That’s not what I’m proposing at all. I merely propose that websites only run their own code.
-
-
Replying to @johnwilander @arturjanc
The web has that feature - it's script-src self (+whitelists for the site/etld+1). It's opt in, and the adoption rate is poor for many reasons. Mandating it seems like a very difficult task, as very few authors would want to have such limitations.
1 reply 0 retweets 2 likes -
Replying to @kkotowicz @arturjanc
That is the tragedy of the commons. Developers want the freedom but not the consequences. Endusers are deceived and pay the price. We can do something about it.
2 replies 0 retweets 1 like -
Replying to @johnwilander @arturjanc
XSS, for the most part, is not caused by distributed code loading in your app. It lurks in a total codebase complexity of modern apps, and a lack of safe defaults. Changing domain names does not solve XSS.
3 replies 3 retweets 6 likes -
Replying to @kkotowicz @arturjanc
I believe you’re talking about bugs. I’m talking about what scripts get executed. Only files and only from your domain or from one chosen CDN with your own eTLD+1 scope and checked through SRI. Any other script will not be executed.
1 reply 0 retweets 0 likes -
Yes, koto started the thread talking about XSS which is a class of bugs. You're talking about intentional 3rd party scripts. That's not XSS. Unlikely to go away unless we find a non-advertising model for the web.
2 replies 0 retweets 5 likes -
Replying to @dveditz @johnwilander and
It is so much more than advertising. Performance, security, the basic architecture of the web...
1 reply 0 retweets 4 likes -
... utilities for abuse detection (captchas), A/B testing, analytics / site metrics, sharing / bookmarking functionality, commenting, APIs that provide geo data, payments, authentication, translations, accessibility...
1 reply 0 retweets 5 likes -
Replying to @arturjanc @hillbrad and
Applications generally integrate with these services because they want the functionality they offer, and trust their providers. We could force them to hide this and move the logic server-side, but... to what end?
1 reply 0 retweets 3 likes -
Replying to @arturjanc @hillbrad and
The thing I find frustrating with many of these services (even non-tracking ones) is their lack of integration options. So many are a script src to your site or nothing. We have good devs that are willing to do a bit of dev talking postMesssage to an iframe or something...nope.
3 replies 0 retweets 4 likes
I'm 100% with you on that, but can we really expect these services to only provide data, rather than code? The functionality often relies on behaviors that you *want* the service to handle for you so you don't have to implement things yourself (same as with server-side libraries)
-
-
Replying to @arturjanc @hillbrad and
Fair...I’ve got my bias blinders on. For a company the size of google the answer is “yeah...no way..can’t risk it”. For a 2 person startup the answer is “for sure...not even a question”. And, for companies in the middle (github being one), it is a constant painful choice.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.