Another CSP nonce bypass, this time for reflected XSS: http://sebastian-lekies.de/csp/attacker2.php …. I will collect more bypasses here: https://goo.gl/t5VLIX
Then we're trying to limit exfil so we'll likely lose. We should fix caching instead.
-
-
For example: prevent a nonced page from ever being cacheable, including via bfcache.
-
: That seems likely to make users sad. "I hit back and then explosions! Oh noes!"
@slekies@sirdarckcat@molnar_g@randomdross -
Hmm, would a regular reload (new server request) break things in this case?
-
yes, breaking the bfcache would be pretty horrible.
End of conversation
New conversation -
-
-
: Belts, suspenders, more belts, etc.
@slekies@sirdarckcat@molnar_g@randomdrossThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.