The degree to which we've just given up on in-process security makes me genuinely angry: https://chromium.googlesource.com/chromium/src/+/master/docs/security/side-channel-threat-model.md …
-
-
Replying to @samth
Reading this through, the CORB stuff really does not fill me with joy. Sniffing to try to guess what data is sensitive? What could go wrong?
1 reply 0 retweets 0 likes -
I think of it as: all cross-origin data is sensitive. For legacy reasons, we can't block all cross-origin access. CORB's sniffing is a way to block more than we could otherwise by using all information available to avoid compat-impacting cases.
2 replies 0 retweets 1 like
I’m not saying you shouldn’t do CORB. I’m saying that CORB illustrates the limitations of Site Isolation, which indicates that we shouldn’t give up on in-process defense techniques.
11:06 AM - 30 May 2018
from South Beach, San Francisco
0 replies
0 retweets
2 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.