42:["$","div",null,{"className":"px-4","children":[["$","h2",null,{"className":"mb-4 text-sm font-medium text-balance text-muted-foreground tabular-nums","children":[0," comments"]}],["$","$L44",null,{"comments":[{"item":{"id":14281128,"type":"comment","by":"0x0","time":1494089566,"title":"$undefined","url":"$undefined","text":"But an attacker would simply use <script src="https://..", instead of <script src="httpsb://.." ?","score":"$undefined","descendants":"$undefined","kids":[14281390,14281345],"parent":14281077,"dead":"$undefined","deleted":"$undefined"},"children":[{"item":{"id":14281390,"type":"comment","by":"MereInterest","time":1494092443,"title":"$undefined","url":"$undefined","text":"Only if that is supported by the site being attacked. If the site only accepts httpsb connections, then the attacker would not have a way in.","score":"$undefined","descendants":"$undefined","kids":[14281719],"parent":14281128,"dead":"$undefined","deleted":"$undefined"},"children":[{"item":{"id":14281719,"type":"comment","by":"hdhzy","time":1494097331,"title":"$undefined","url":"$undefined","text":"If the site accepts httpsb it can as well support the Origin header [0] and the problem is solved.

[0]: https://wiki.mozilla.org/Security/Origin","score":"$undefined","descendants":"$undefined","kids":[14282738],"parent":14281390,"dead":"$undefined","deleted":"$undefined"},"children":[]}]}]},{"item":{"id":14281529,"type":"comment","by":"homakov","time":1494094229,"title":"$undefined","url":"$undefined","text":"I proposed a header instead of a protocol btw

https://medium.com/@homakov/request-for-a-new-header-state-o...","score":"$undefined","descendants":"$undefined","kids":[14281749],"parent":14281077,"dead":"$undefined","deleted":"$undefined"},"children":[{"item":{"id":14281749,"type":"comment","by":"hdhzy","time":1494097821,"title":"$undefined","url":"$undefined","text":"Sounds good but I suspect it will meet the same fate as XHTML 2: designed to be clean and perfect but in reality it would take to much effort to implement and maintain.

From your professional experience you can probably tell people would rather have slightly insecure site that works and gives profits rather than broken one because SOTA started including some new feature you didn't know...

People would rather enable these individual headers one by one and see their effect. In h2 headers are compressed so it's not a big deal (besides looking ugly).","score":"$undefined","descendants":"$undefined","kids":[14317929],"parent":14281529,"dead":"$undefined","deleted":"$undefined"},"children":[{"item":{"id":14317929,"type":"comment","by":"homakov","time":1494524306,"title":"$undefined","url":"$undefined","text":"> SOTA started including some new feature you didn't know

if you sign for 2 versions, changes in 3 would not brake you. and the point is MANY things right now could be safe to turn on for 99.99%, e.g. XFO. So, not much effort","score":"$undefined","descendants":"$undefined","kids":"$undefined","parent":14281749,"dead":"$undefined","deleted":"$undefined"},"children":[]}]}]}],"op":"captainmuon"}]]}]

0 comments

0 comments