-
@Scott_Helme @kermiite @securityheaders I don't know. I "hate" CSP because HTML is too complex to be really secured by this way for me. CSS can include SVG which can include JS which can load CSS… and that kind of craps. And there is tons of CSP bypassing over the last years to consider this as security measure.On twitter.com
Mood +1 🙂
-
@Scott_Helme @kermiite @securityheaders It seems to me that CSP implementation is much more a bunch of corner cases protection hardcoded in browser than decent security protection.Permalink On twitter.com
Mood 0
-
@Scott_Helme @kermiite @securityheaders I can imagine that much dozen of corner cases, with many hours on a single one just to check if there is a leak somewhere. Encapsulating more and more content. With test on different browsers with different behavior.Permalink On twitter.com
Mood -1 🙁
-
@Scott_Helme @kermiite @securityheaders And even if no success at the end, i still have dozen of corners cases remaining to test, and not that much more confidence over the CSP security.Permalink On twitter.com
Mood +3 🙂
-
@Scott_Helme @kermiite @securityheaders For your typical input+styled-url, I try this on my computer and got DNS resolution visible to example.org on wireshark. But don't succeed to reproduce after that and it was just the NS query. Perhaps there is also a trouble here with A/AAAA blocked but NS resolved…Permalink On twitter.com
Mood -6 🙁