: `eval` is a DOM XSS sink. *shrug* Evaluating that risk is up to the developer. @mikesherov @SlexAxton @The_Brown_Shoe
-
-
I also think the exact nonce approach is probably too hard for small teams, but 1/
-
that's an orthogonal (but still important to me) point. 2/2
-
: Nonces are the first scalably deployable approach we've found at Google, but I agree it's still hard.
@frgx@mikesherov@SlexAxton -
I'd be happy to start with "nonce for APIs" and try to improve nonces in parallel.
End of conversation
New conversation -
-
-
worksforme
End of conversation
New conversation
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.