Mike West · Oct 2, 2019 · 7:13 AM UTC

Mike West

Mike West @mikewest

2 Oct 2019

github.com/mikewest/strict-c… is a thought experiment around XSS-mitigation-by-default that I'm not sure we could actually deploy... Or could we? (Thanks to @shhnjk for reminding me that I hadn't put it up anywhere for discussion.)

GitHub - mikewest/strict-csp-for-everyone: This is both a terrible and wonderful idea.

This is both a terrible and wonderful idea. Contribute to mikewest/strict-csp-for-everyone development by creating an account on GitHub.

github.com

Bil Corry · Oct 2, 2019 · 11:16 AM UTC

Bil Corry · Oct 2, 2019 · 11:16 AM UTC

Bil Corry @bilcorry

2 Oct 2019

Replying to @mikewest @shhnjk

An old idea of mine: create a new protocol handler (and port?) that has all the security features enabled by default. Can even re-imagine SOP. So instead of visiting https://domain.tld, instead visit web://domain.tld. That won't break any websites and allows gradual adoption.

Oct 2, 2019 · 11:16 AM UTC