|
|
|
|
|
|
by jerf
2883 days ago
|
|
|
Unfortunately, reverse compatibility forces the web into a blacklisting model with new headers. In my Copious Free Time (TM) I am trying to write a web framework that is default deny instead, so even if the web itself is whitelist based, you can try to write in a default-deny environment for security reasons. But even if imagine a perfect such framework from 2017, now in 2018 you have these new headers to deal with, and it means even if the 2018 version of this default-deny framework comes up, you can't just upgrade the framework itself and do nothing because now if you default-deny all of these the website stops working. Plus it's a sense of false security if you program this restriction that says "no iframes!" if someone uses a browser that doesn't support it. It's a hard problem, unfortunately. |
|
|
Older sites could continue to function as they do today or perhaps be even more heavily sandboxed AND not have access to new APIs.