XSS sinks in other ways (e.g. ember uses templates for all DOM insertion). 2/
-
-
I'd be very comfortable with a capability approach that shared a nonce with the eval 3/
1 reply 0 retweets 1 like -
function safely, but CSP attitudes never go down that path for APIs, just HTML. 4/4
1 reply 0 retweets 0 likes -
Replying to @wycats
this! We end up having to do that manually since CSP doesn't support it :(
@mikewest@mikesherov@SlexAxton@The_Brown_Shoe2 replies 0 retweets 1 like -
honestly the attitude that it's reasonable for apps to turn off eval is frustrating
2 replies 0 retweets 0 likes -
it's legitimately slowed down ember performance work.
1 reply 0 retweets 0 likes -
Replying to @wycats
yeah; that's why no large scale website disabled eval.
@mikewest@mikesherov@SlexAxton@The_Brown_Shoe1 reply 0 retweets 1 like -
the fact that we ended up at a place where ember developers like you feel frustrated is the real sad part here
@mikewest1 reply 0 retweets 0 likes -
yes. For what it's worth I've participated in writing memos explaining why it's OK to use eval for dynamic loading.
1 reply 0 retweets 0 likes -
I was on the rails security team and I'm on the ember security team. I worked on vulns like https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0447 …
1 reply 0 retweets 0 likes
I understand this stuff but feel that people who are focused on eliminating threats need to be tempered by people 1/
-
-
focused on ergonomics, and there aren't enough of the latter in the current process. In fact, the process is dominated 2/
1 reply 0 retweets 1 like -
by an impression that ergonomics are a low order bit (hence the almost-rage in the above thread) 3/3
1 reply 0 retweets 0 likes - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.