Another 'unsafe-' keyword :-(. What's the rationale for this? Does this enable use cases that aren't possible with standard CSP & JS?
-
-
-
Talk to
@arturjanc. - 13 more replies
New conversation -
-
-
Doesn't that enable attacks like in http://www.cs.columbia.edu/~vpappas/papers/xjs.webapps10.pdf … 3.1? Code safe for a.onclick may be bad when applied to iframe.onload
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
I think once you achieve DOM injection you can do the same thing in an attribute anyway. E.g. <img src='bad' onfail='transferAllMyMoney()'>
-
There are known attacks against the whitelisting scheme proposed. This was tried before, really. See e.g. the paper I linked to before.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.