you could, but the model used by the people designing CSP for how it reduces threats is often wrong.
-
-
: https://csp.withgoogle.com/docs/strict-csp.html … is a deployable model Google's security team has landed on. Sane?
@mikesherov@SlexAxton@The_Brown_Shoe -
any policy that disallows dynamic evaluation of JS as a "broken legacy feature" is bad imo
-
: `eval` is a DOM XSS sink. *shrug* Evaluating that risk is up to the developer.
@mikesherov@SlexAxton@The_Brown_Shoe -
I'm holding myself back from fighting really hard. Your shrug is the thing that enrages me.
-
please try to understand why 1. There may be important use cases, 2. Security by 1/
-
"every developer should evaluate risks" does not comport with modern security practices 2/2
-
: 2) Developers should evaluate risks, just like they evaluate performance tradeoffs, etc.
@mikesherov@SlexAxton@The_Brown_Shoe -
in general, devs use tools that help make trade-offs for them. In this case, there's 1/
- 7 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.