Any operators of new TLDs want HSTS for the whole TLD? https://www.imperialviolet.org/2014/07/06/newtlds.html …
-
-
@bascule Possible, but very easy to escape that by <script>ing in Javascript from an origin in a different TLD. -
-
@randomoracle@agl__ X.509 name constraints don’t seem to work very well, e.g.: https://lists.eff.org/pipermail/observatory/2011-April/000173.html … -
@bascule@randomoracle@agl__ NC doesn't address the point though - new.domain can script http://evil.com and get owned //@fugueish -
@sleevi_@randomoracle@agl__@fugueish subresource integrity would also help a lot here -
@bascule@randomoracle@agl__@fugueish Or just hosting the damn script on your domain if you care about security ;) -
-
@randomoracle@sleevi_@agl__@fugueish subresource integrity ensures that 3rd-party 0wnage is, at worst, a DoS attack - 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.