Can someone give me a link to the most charitable, best argued explanation for why the CSP policy that disallows eval is important? 1/
@deezthugs @OhMeadhbh @frgx yeah I found that one. I didn't really understand the threat model there. More of a lint tool?
-
-
@wycats I'm hoping@frgx has thee best expl. I think the problem is that you never know where text will come from to be eval'd@OhMeadhbh -
@wycats ends up being a game of "whack-a-mole" unless you cannot eval()@frgx@OhMeadhbh -
@deezthugs@wycats@frgx or in the case of disco, exercising known bugs in different browsers. -
@OhMeadhbh I think in the template cases, we now "have the technology" baked into the browser@wycats@frgx -
@deezthugs@wycats@frgx please tell me you're not suggesting we do nothing other than <template> tags. -
@OhMeadhbh there's template literals now too https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals …@wycats@frgx -
@deezthugs@wycats@frgx though template literals should very much be killed with fire. -
@OhMeadhbh I actually like template tags. Its platform tech that can be made palatable. Also, I really like https://github.com/ohanhi/hyperscript-helpers … - 6 more replies
New conversation -
-
-
@wycats hmm.. The threat model is same as csp: html injection vuln in app@deezthugs@OhMeadhbhThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.