you could, but the model used by the people designing CSP for how it reduces threats is often wrong.
people will insist on turning on, the team will be unable to push back, and when this 2/
-
-
happens enough times the web will become safer. 3/3
-
: https://csp.withgoogle.com/docs/strict-csp.html … is a deployable model Google's security team has landed on. Sane?
@mikesherov@SlexAxton@The_Brown_Shoe -
any policy that disallows dynamic evaluation of JS as a "broken legacy feature" is bad imo
-
: `eval` is a DOM XSS sink. *shrug* Evaluating that risk is up to the developer.
@mikesherov@SlexAxton@The_Brown_Shoe -
I'm holding myself back from fighting really hard. Your shrug is the thing that enrages me.
-
please try to understand why 1. There may be important use cases, 2. Security by 1/
-
"every developer should evaluate risks" does not comport with modern security practices 2/2
-
: 2) Developers should evaluate risks, just like they evaluate performance tradeoffs, etc.
@mikesherov@SlexAxton@The_Brown_Shoe - 8 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.