you could, but the model used by the people designing CSP for how it reduces threats is often wrong.
any policy that disallows dynamic evaluation of JS as a "broken legacy feature" is bad imo
-
-
: `eval` is a DOM XSS sink. *shrug* Evaluating that risk is up to the developer.
@mikesherov@SlexAxton@The_Brown_Shoe -
I'm holding myself back from fighting really hard. Your shrug is the thing that enrages me.
-
please try to understand why 1. There may be important use cases, 2. Security by 1/
-
"every developer should evaluate risks" does not comport with modern security practices 2/2
-
: 2) Developers should evaluate risks, just like they evaluate performance tradeoffs, etc.
@mikesherov@SlexAxton@The_Brown_Shoe -
in general, devs use tools that help make trade-offs for them. In this case, there's 1/
-
nothing ember can do to acquire the eval capability safely cuz no one designed the API 2/
-
and in general the attitude is "shoot capabilities first, ask questions later" 3/3
- 5 more replies
New conversation -
-
-
its like saying dlopen should be removed from C and everyone should statically link always
-
the bottom line is that CSP folks tend to downplay the importance of the feature they taboo
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.