you could, but the model used by the people designing CSP for how it reduces threats is often wrong.
-
-
Replying to @wycats
: Tell me about a more reasonable model for mitigating threats?
@mikesherov@SlexAxton@The_Brown_Shoe1 reply 0 retweets 0 likes -
Replying to @mikewest @mikesherov and
CSP model is great. The model of the ppl adding CSP features (sorry) is not always great.
1 reply 0 retweets 0 likes -
it works through a convoluted mechanism: we'll add a feature that a team's security 1/
1 reply 0 retweets 0 likes -
people will insist on turning on, the team will be unable to push back, and when this 2/
1 reply 0 retweets 0 likes -
happens enough times the web will become safer. 3/3
1 reply 0 retweets 0 likes -
Replying to @wycats
: https://csp.withgoogle.com/docs/strict-csp.html … is a deployable model Google's security team has landed on. Sane?
@mikesherov@SlexAxton@The_Brown_Shoe1 reply 0 retweets 1 like -
Replying to @mikewest @mikesherov and
any policy that disallows dynamic evaluation of JS as a "broken legacy feature" is bad imo
2 replies 0 retweets 0 likes -
its like saying dlopen should be removed from C and everyone should statically link always
2 replies 0 retweets 0 likes
the bottom line is that CSP folks tend to downplay the importance of the feature they taboo
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.