#TIL <link rel=import href=foo> works on innerHTML. AFAIK it's the only non-event-based XSS sink. Is it?
@sirdarckcat is the point finding a sink without event or finding one that works when CSP is added with JS?
-
-
@sirdarckcat because <object data=x allowscriptaccess=always> works with no CSP -
@avlidienbrunn with CSP, otherwise its not fun! :-)
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.