it works through a convoluted mechanism: we'll add a feature that a team's security 1/
XSS sinks in other ways (e.g. ember uses templates for all DOM insertion). 2/
-
-
I'd be very comfortable with a capability approach that shared a nonce with the eval 3/
-
function safely, but CSP attitudes never go down that path for APIs, just HTML. 4/4
-
this! We end up having to do that manually since CSP doesn't support it :(
@mikewest@mikesherov@SlexAxton@The_Brown_Shoe -
honestly the attitude that it's reasonable for apps to turn off eval is frustrating
-
it's legitimately slowed down ember performance work.
-
yeah; that's why no large scale website disabled eval.
@mikewest@mikesherov@SlexAxton@The_Brown_Shoe -
the fact that we ended up at a place where ember developers like you feel frustrated is the real sad part here
@mikewest -
yes. For what it's worth I've participated in writing memos explaining why it's OK to use eval for dynamic loading.
- 5 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.