Unfortunately there's very little chance of this working. CSP tried getting developrs to remove inline <script>s and failed miserably, for a myriad of reasons.
-
-
Replying to @arturjanc @kkotowicz
The vague carrot of “you may not be hacked” plus complexity killed CSP. Next try should apply more stick. The web as a platform for business, communication etc. deserves much better than XSS whack-a-mole because developers want inline scripts. Tragedy of the commons.
1 reply 0 retweets 2 likes -
Replying to @johnwilander @arturjanc
You're proposing an app store that happens to use http. That's not the web platform.
1 reply 0 retweets 3 likes -
Replying to @kkotowicz @arturjanc
That’s not what I’m proposing at all. I merely propose that websites only run their own code.
1 reply 0 retweets 1 like -
Replying to @johnwilander @arturjanc
The web has that feature - it's script-src self (+whitelists for the site/etld+1). It's opt in, and the adoption rate is poor for many reasons. Mandating it seems like a very difficult task, as very few authors would want to have such limitations.
1 reply 0 retweets 2 likes -
Replying to @kkotowicz @arturjanc
That is the tragedy of the commons. Developers want the freedom but not the consequences. Endusers are deceived and pay the price. We can do something about it.
2 replies 0 retweets 1 like -
Replying to @johnwilander @arturjanc
XSS, for the most part, is not caused by distributed code loading in your app. It lurks in a total codebase complexity of modern apps, and a lack of safe defaults. Changing domain names does not solve XSS.
3 replies 3 retweets 6 likes -
Replying to @kkotowicz @arturjanc
I believe you’re talking about bugs. I’m talking about what scripts get executed. Only files and only from your domain or from one chosen CDN with your own eTLD+1 scope and checked through SRI. Any other script will not be executed.
1 reply 0 retweets 0 likes -
Yes, koto started the thread talking about XSS which is a class of bugs. You're talking about intentional 3rd party scripts. That's not XSS. Unlikely to go away unless we find a non-advertising model for the web.
2 replies 0 retweets 5 likes -
I think it’s XSS if you don’t have SRI, because any XSS, compromise, or ill will from that server and you’re running arbitrary code on your pages. Cross-Site Scripting – it’s in the name.
3 replies 0 retweets 0 likes
You might want to consider what response you'll get from pretty much any company's bug bounty program if you report cross-origin JS loads as "XSS". Nomenclature matters ;)
-
-
Sure. The name is not a biggie for me. I stand by that we should step by step get rid of 3rd-party scripting and inline scripting. It would really help the web.
0 replies 0 retweets 1 likeThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.