A hypothetical `Scripting-Policy: nonce="number-used-once-goes-here"` could be substantially more focused, and simpler for developers to understand and deploy. A similarly speculative `Confinement-Policy` could deal only with Fetch, likewise providing clarity.
-
-
Show this thread
-
I'm not actually convinced this is worth us collectively spending time on (CSP _exists_, after all, and there are pressing problems), but some conversation with clever folks like
@arturjanc,@we1x, and@mikispag makes it clear that this is at least worth discussing a bit. WDYT?Show this thread -
(Also, this was just a fun way to procrastinate a bit on the 17 other things I'm supposed to be doing this week.
)Show this thread
End of conversation
New conversation -
-
-
"ARTUR is a silly suggestion that is obviously a bad idea as specified". I see what you did there. You thought of it from the very beginning didn't you?
-
This has been in the back of several people's heads for years. I don't think the direction would be a surprise to anyone who's been paying attention to various conversations in WebAppSec. :)
- 4 more replies
New conversation -
-
-
What if we added specific sanitization APIs to the DOM? Literally every time I have to go look into what a new framework or library is doing under the hood for that or try to find a standalone library for it, I wish wistfully for this.
-
@freddyb and@cure53berlin were looking into that. It just hasn’t bubbled up anyone’s list far enough to spend the time on it that’s necessary. - 2 more replies
New conversation -
-
-
I like the Scripting-Policy part, which gives a good focus on XSS (and should be where most website developers start); but Resource Confinement is probably more powerful with the current CSP syntax (maybe with some bits deprecated).
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.