: Tell me about a more reasonable model for mitigating threats? @mikesherov @SlexAxton @The_Brown_Shoe
that's why I didn't actually get angry. But this attitude is extremely frustrating.
-
-
dynamic eval is important for performance goals. It's possible to eliminate the 1/
-
XSS sinks in other ways (e.g. ember uses templates for all DOM insertion). 2/
-
I'd be very comfortable with a capability approach that shared a nonce with the eval 3/
-
function safely, but CSP attitudes never go down that path for APIs, just HTML. 4/4
-
this! We end up having to do that manually since CSP doesn't support it :(
@mikewest@mikesherov@SlexAxton@The_Brown_Shoe -
honestly the attitude that it's reasonable for apps to turn off eval is frustrating
-
it's legitimately slowed down ember performance work.
-
yeah; that's why no large scale website disabled eval.
@mikewest@mikesherov@SlexAxton@The_Brown_Shoe - 7 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.