HackerTrans
TopNewTrendsCommentsPastAskShowJobs

kid-icarus

no profile record

comments

kid-icarus
·3 lata temu·discuss
While these points may hold true, I’ve often seen the statement thrown around in chats and various forums that, “dart sux.” I don’t understand the hate, nor the juvenile phrasing.
kid-icarus
·3 lata temu·discuss
[flagged]
kid-icarus
·5 lat temu·discuss
Yes, if an extension can override CSP directives to allow arbitrary connect-src exceptions, it effectively means that any data in any form on any page is now susceptible of having that data sent to an attacker-owned URL.

The solution doesn't necessitate removing extensions, it just means potentially constraining the API surface of extensions in order to mitigate the attack surface.
kid-icarus
·5 lat temu·discuss
I have that same issue, but I would much rather filter out extraneous CSP violations than have some exploited extension exfiltrate sensitive data.

Edit: typo
kid-icarus
·5 lat temu·discuss
Can you specify which policies are a nightmare to develop on? As a security-minded UI eng, I warmly welcome any new security policies that enable me to harden my applications and prevent exfiltration of sensitive data.

Edit: typo.