| ▲ | benatkin 17 hours ago | |||||||
Blocking/allowlisting all JavaScript is the only way [1] to have a CSP fully contain an app (no exfiltration) [2] and with prefetch that might not be enough. The author is correct at the end to suggest using WebAssembly. (Also, it still has the issue of clicking links, which can be limited to certain domains or even data: by wrapping the untrusted code in an iframe and using child-src on the parent of the iframe) 1: https://github.com/w3c/webappsec/issues/656#issuecomment-246... | ||||||||
| ▲ | EE84M3i 6 hours ago | parent | next [-] | |||||||
I didn't realize you could use CSP for preventing exhilaration now! How did they close the WebRTC loopholes? | ||||||||
| ▲ | kmeisthax 11 hours ago | parent | prev [-] | |||||||
Why would WebAssembly provide more protection against exfiltration than JavaScript in this case? | ||||||||
| ||||||||