Another CSP nonce bypass, this time for reflected XSS: http://sebastian-lekies.de/csp/attacker2.php …. I will collect more bypasses here: https://goo.gl/t5VLIX
For example: prevent a nonced page from ever being cacheable, including via bfcache.
-
-
: That seems likely to make users sad. "I hit back and then explosions! Oh noes!"
@slekies@sirdarckcat@molnar_g@randomdross -
Hmm, would a regular reload (new server request) break things in this case?
-
yes, breaking the bfcache would be pretty horrible.
End of conversation
New conversation -
-
-
: But yeah fixing the class would be lovely. Suggest away!
@slekies@sirdarckcat@molnar_g@randomdrossThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.