|
Sebastian Lekies
@
slekies
Zürich, Schweiz
|
|
Tech Lead - Web Application Security Scanning @Google
|
|
|
798
ಟ್ವೀಟ್ಗಳು
|
229
ಹಿಂಬಾಲಿಸುತ್ತಿರುವವರು
|
883
ಹಿಂಬಾಲಕರು
|
| ಟ್ವೀಟ್ಗಳು |
|
|
Sebastian Lekies
@slekies
|
ಜನ 28 |
|
@patricktoomey @arturjanc @sirdarckcat @mikewest legacy is not the point that I am trying to make. Twitter sucks for these discussions.
|
||
|
||
|
|
Sebastian Lekies
@slekies
|
ಜನ 28 |
|
@arturjanc @sirdarckcat @mikewest again:I am not saying we can't do this.I am not at all oposing the idea. Just saying we need to be careful
|
||
|
|
||
|
|
Sebastian Lekies
@slekies
|
ಜನ 28 |
|
@arturjanc @sirdarckcat @mikewest just wanted to add one data point to the discussion and not oppose the general idea.
|
||
|
|
||
|
|
Sebastian Lekies
@slekies
|
ಜನ 28 |
|
@arturjanc @sirdarckcat @mikewest and I am saying that not all ways will as seen with the many hacks due to innerHTML.
|
||
|
|
||
|
|
Sebastian Lekies
@slekies
|
ಜನ 28 |
|
@arturjanc @sirdarckcat @mikewest No, I am saying we should harden in a way that FWs play nicely with it.
|
||
|
|
||
|
|
Sebastian Lekies
@slekies
|
ಜನ 28 |
|
@arturjanc @sirdarckcat @mikewest yes, definetly. I am the last one to argue against hardening. Just brought up one important issue.
|
||
|
|
||
|
|
Sebastian Lekies
@slekies
|
ಜನ 28 |
|
|
||
|
|
||
|
|
Sebastian Lekies
@slekies
|
ಜನ 28 |
|
@arturjanc @sirdarckcat @mikewest not only strict-dynamic, also unsafe-eval, which is required for most frameworks.
|
||
|
|
||
|
|
Sebastian Lekies
@slekies
|
ಜನ 28 |
|
|
||
|
|
||
|
|
Sebastian Lekies
@slekies
|
ಜನ 28 |
|
@arturjanc @sirdarckcat @mikewest then we should choose a hardening way that will not lead to these hacks
|
||
|
|
||
|
|
Sebastian Lekies
@slekies
|
ಜನ 28 |
|
@arturjanc @sirdarckcat @mikewest we should look at them to understand why these hacks are in place.
|
||
|
|
||
|
|
Sebastian Lekies
@slekies
|
ಜನ 28 |
|
@arturjanc @sirdarckcat @mikewest I can show you dozens of examples where the current behavior of innerHTML led to hacks in libraries.
|
||
|
|
||
|
|
Sebastian Lekies
@slekies
|
ಜನ 28 |
|
@arturjanc @sirdarckcat @mikewest I am not saying that at all. Just saying we need to take this into account to not get it wrong.
|
||
|
|
||
|
|
Sebastian Lekies
@slekies
|
ಜನ 28 |
|
@arturjanc @sirdarckcat @mikewest I was thinking more about the default behavior. But if security is inconvenient, no one will adopt it.
|
||
|
|
||
|
|
Sebastian Lekies
@slekies
|
ಜನ 28 |
|
@arturjanc @mikewest these hacks are also not introduced against the devs intend, but for the opposite.
|
||
|
|
||
|
|
Sebastian Lekies
@slekies
|
ಜನ 28 |
|
@arturjanc @mikewest if the API does not fullfill the needs, devs will hack around it. Also innerHTML is not a safe, hardened API.
|
||
|
|
||
|
|
Sebastian Lekies
@slekies
|
ಜನ 28 |
|
@mikewest I can show you a few PoCs next time we meet.
|
||
|
|
||
|
|
Sebastian Lekies
@slekies
|
ಜನ 28 |
|
@mikewest if you want to strengthen CSP allow scripts in innerHTML and libraries will not implement insecure code for not surprising devs.
|
||
|
|
||
|
|
Sebastian Lekies
@slekies
|
ಜನ 28 |
|
@mikewest that's why jquery and other libraries have magic html() methods to replace innerHTML with a function that also executes scripts.
|
||
|
|
||
|
|
Sebastian Lekies
@slekies
|
ಜನ 28 |
|
@mikewest devs expect that inner_HTML_ executes all of HTML and not just a subset.
|
||
|
|
||