At first glance I believe https://github.com/w3c/webappsec-csp/issues/98 … from @arturjanc would cover this specific case. (cc @mikewest)
-
-
Replying to @randomdross @slekies and
Here markup is stolen,nonce is extracted,then injected.The mitigation wouldn't work here I think.
1 reply 0 retweets 0 likes -
Replying to @molnar_g @randomdross and
why? It seems like that proposal addresses Sebastian's concern for this PoC
2 replies 0 retweets 0 likes -
Replying to @sirdarckcat @molnar_g and
For the second PoC it would work, but I think gabor is referring to the first one.
6 replies 0 retweets 0 likes -
Replying to @slekies
: But it would be really nice to have a clever way of breaking dangling markup...
@sirdarckcat@molnar_g@randomdross@arturjanc1 reply 0 retweets 0 likes -
make browser close prev tag when it finds "<" in attr name? Is there any
1 reply 0 retweets 0 likes -
Replying to @avlidienbrunn @mikewest and
legit usecase with tags in attr name?
1 reply 0 retweets 0 likes -
-
-
Replying to @avlidienbrunn @mikewest and
ohh sorry. I misread your message. You are right, that isn't useful.
2 replies 0 retweets 0 likes
might be hard to implement(?) though. Nonce=HMAC with nonce+attr names?
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.