I'd be very comfortable with a capability approach that shared a nonce with the eval 3/
-
-
function safely, but CSP attitudes never go down that path for APIs, just HTML. 4/4
1 reply 0 retweets 0 likes -
Replying to @wycats
this! We end up having to do that manually since CSP doesn't support it :(
@mikewest@mikesherov@SlexAxton@The_Brown_Shoe2 replies 0 retweets 1 like -
honestly the attitude that it's reasonable for apps to turn off eval is frustrating
2 replies 0 retweets 0 likes -
it's legitimately slowed down ember performance work.
1 reply 0 retweets 0 likes -
Replying to @wycats
yeah; that's why no large scale website disabled eval.
@mikewest@mikesherov@SlexAxton@The_Brown_Shoe1 reply 0 retweets 1 like -
the fact that we ended up at a place where ember developers like you feel frustrated is the real sad part here
@mikewest1 reply 0 retweets 0 likes -
yes. For what it's worth I've participated in writing memos explaining why it's OK to use eval for dynamic loading.
1 reply 0 retweets 0 likes -
I was on the rails security team and I'm on the ember security team. I worked on vulns like https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0447 …
1 reply 0 retweets 0 likes -
I understand this stuff but feel that people who are focused on eliminating threats need to be tempered by people 1/
1 reply 0 retweets 1 like
focused on ergonomics, and there aren't enough of the latter in the current process. In fact, the process is dominated 2/
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.