: I'm not trying to enrage you, sorry if it came across as dismissive. That's not my intent. @mikesherov @SlexAxton @The_Brown_Shoe
-
-
Replying to @mikewest @mikesherov and
that's why I didn't actually get angry. But this attitude is extremely frustrating.
1 reply 0 retweets 0 likes -
dynamic eval is important for performance goals. It's possible to eliminate the 1/
1 reply 0 retweets 0 likes -
XSS sinks in other ways (e.g. ember uses templates for all DOM insertion). 2/
1 reply 0 retweets 0 likes -
I'd be very comfortable with a capability approach that shared a nonce with the eval 3/
1 reply 0 retweets 1 like -
function safely, but CSP attitudes never go down that path for APIs, just HTML. 4/4
1 reply 0 retweets 0 likes -
Replying to @wycats
this! We end up having to do that manually since CSP doesn't support it :(
@mikewest@mikesherov@SlexAxton@The_Brown_Shoe2 replies 0 retweets 1 like -
so I think this comes down to: the CSP nonce approach should be extended to APIs. 1/
1 reply 0 retweets 1 like -
are you interested
@mikewest or know anyone who would be? 2/22 replies 0 retweets 0 likes -
Replying to @wycats
: Let's continue at https://github.com/w3c/webappsec-csp/issues/87#issuecomment-280944735 ….
@frgx@mikesherov@SlexAxton@The_Brown_Shoe1 reply 0 retweets 2 likes
worksforme
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.