[mtlynch]

>I know XSS is dying due to CORS

CORS isn't related to XSS. CORS actually isn't a security protection at all. It's a way for web apps to explicitly disable standard protections that browsers apply to enforce same origin policy.

You might be thinking of Content Security Policy (CSP).[0] That's the most effective protection I'm aware of for XSS, but it's not very widely used because so few JavaScript libraries are compatible with it.

[0] https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

[Jerrrry]

yea, i meant CSP.

>so few JavaScript libraries are compatible with it.

is this because of the 'eval' function specifically, or is there other reasons?

[mtlynch]

Yeah, eval is the main culprit, but there's also Function, setTimeout, setInterval and friends.[0]

The other gotcha is that with a secure CSP policy, you can no longer do things like <button onclick="handleClick"> because that's inline JS, so that's kind of a bummer.

[0] https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Co...