Can we make CSP simpler? Or "fixing" it will just make it even worse and more complex. Can we start from scratch? Consider it sunken costs?
https://twitter.com/frgx/status/827999372293988352 …
-
-
1/ It is okay to discourage use of CSP if a team has no resources to get it right.
1 reply 0 retweets 0 likes -
Replying to @arturjanc @sirdarckcat and
2/ And for many applications focusing on other security work is more valuable.
1 reply 0 retweets 0 likes -
Replying to @arturjanc @sirdarckcat and
3/ But there are apps where XSS = game over and where defense-in-depth is important
1 reply 0 retweets 0 likes -
Replying to @arturjanc @sirdarckcat and
4/ Those apps are some of the more popular ones: FB, GOOG, Twitter, Github, Dropbox
1 reply 0 retweets 0 likes -
Replying to @arturjanc @sirdarckcat and
5/ Many of them want CSP and they also want to have more options (suborigins, etc.)
1 reply 0 retweets 0 likes -
Replying to @arturjanc @sirdarckcat and
6/ Despite CSP's (many) flaws it offers useful features we can't get elsewhere.
2 replies 0 retweets 2 likes -
Replying to @arturjanc @sirdarckcat and
eh. CSP is a last-ditch safety net, needed b/c of lack of good framework
2 replies 0 retweets 1 like
like using C code with a memory sanitizer instead of a safe language
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.