- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Mon, 8 Feb 2016 12:27:05 -0800
- To: Michal Zalewski <lcamtuf@coredump.cx>
- Cc: Chris Palmer <palmer@google.com>, Craig Francis <craig.francis@gmail.com>, Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> FWIW, the vast majority of XSSes that we see have to do with the > failure to consistently call existing APIs for everything that needs > scrubbing / sanitization. It's not a scientific number, but I'd say > it's in the ballpark of 95%. > > That's why I'm a lot more inclined to believe that flexible > containment solutions - such as Safe Node, suborigins, or some of the > more recent evolutions of CSP - have more promise. Doubly so when they > can be retrofitted cleanly and easily into existing software. +1 to both these points. =Dev
Received on Monday, 8 February 2016 20:27:54 UTC