In particular, I would like someone to explain the threat model and the mitigation is precise terms. 2/2
-
-
-
@wycats cc@deezthugs - you remember any of this? i remember talking about it WRT WebCrypto, Widgets & the crap i did to make disco work. -
@OhMeadhbh@wycats there is much nuance. This is interesting to read: https://blogs.dropbox.com/tech/2015/09/csp-the-unexpected-eval/ … I would ask@frgx -
@deezthugs@OhMeadhbh@frgx yeah I found that one. I didn't really understand the threat model there. More of a lint tool? -
@wycats I'm hoping@frgx has thee best expl. I think the problem is that you never know where text will come from to be eval'd@OhMeadhbh -
@wycats ends up being a game of "whack-a-mole" unless you cannot eval()@frgx@OhMeadhbh -
@deezthugs@wycats@frgx or in the case of disco, exercising known bugs in different browsers. -
@OhMeadhbh I think in the template cases, we now "have the technology" baked into the browser@wycats@frgx - 10 more replies
New conversation -
-
-
.
@wycats eval is no worse than inline JS. If your site is bug-free you can use both safely. CSP is a safety net for imperfect people.Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@wycats@mixonic Any other pointers from@PhilippeDeRyck ?Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.