This is a fairly exciting presentation about the dangers of injecting user controlled content into an Electron app. Short version: Don't.https://twitter.com/hasegawayosuke/status/789330285179514880 …
Links, form submissions, <iframe> navigating http://window.top , etc. I'm wary of believing UMA here, but I have no data to prove it :/
-
-
I believe our metrics! Unless they tell me things I don’t want to hear.
-
I think another point here is that meta refresh allows dangling markup without user interaction.
-
Can you? Starting in 61, we should be blocking requests that contain newlines and ‘<’, which I hope mitigates this risk.
-
cool, will test it then :)
-
CC me on the bugs you file. :)
-
Sorry, seems like I don't have permission to CC you :P https://bugs.chromium.org/p/chromium/issues/detail?id=749852 …
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.