@kkotowicz hey koto where do I report csp evaluator bugs to?
-
-
+1 for telling me all the bugs!
-
The CSP evaluator allows frame-src data:but <iframe src="data:text/html,<iframe src=javascript:alert(document.domain)>"></iframe> Edge
-
Thx a lot for sharing! Hopefully we can fix this on browser level Would suck if we'd have to restrict frame-src to mitigate XSS
-
well this is an edge bug so could be here quite a while. IMO data: shouldn't atm be allowed
-
hard to come up with a useful
#CSP for Edge anyway (no nonce or#strictdynamic support). I'll add a warning to the Evaluator. -
yeah a warning would be good
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.