XSS'd by ad, via DoubleClick, via Referer header: http://www.troyhunt.com/2015/07/how-i-got-xssd-by-my-ad-network.html?m=1 …
@ericlaw @troyhunt I understand what you mean. it's still bad. And, it's terrible that it is the default on the web. /cc @frgx @BrendanEich
-
-
@BRIAN_____ it is terrible that on anyone can execute code in some domain that has no privileges? CC@ericlaw@troyhunt@BrendanEich -
@frgx@ericlaw@troyhunt@BrendanEich It does have some privileges, e.g. allow-top-navigation. Plus, DoubleClick chooses privs, not page. -
@frgx@ericlaw@troyhunt@BrendanEich IMO, it's terrible that "don't let an ad do anything outside its box until clicked" isn't the default. -
@BRIAN_____ yes iframe sandbox doesn't have the adoption it should cc@ericlaw@troyhunt@BrendanEich -
@frgx@ericlaw@troyhunt@BrendanEich Yes. I think we need to enhance iframe sandbox to get the click-to-allow-top-navigation experience.
End of conversation
New conversation -
-
-
@BRIAN_____@ericlaw@troyhunt@frgx that what is the default? Server reflects, what do you want client to do? Distributed information flow?Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.