New write-up by @avlidienbrunn: CSP: bypassing form-action with reflected XSS http://labs.detectify.com/2016/04/04/csp-bypassing-form-action-with-reflected-xss/ …pic.twitter.com/lW4uKFgc4E
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
@mikewest @detectify @0x6D6172696F oops, set it up a bit fast. The point is that it bypasses form-action 'self'. Will update, thanks.
@avlidienbrunn: Perhaps you could mention @estark37 and @jochen_e's https://w3c.github.io/webappsec-referrer-policy/ … as a mitigation? @detectify @0x6D6172696F
@mikewest @estark37 @jochen_e @detectify @0x6D6172696F sure
@avlidienbrunn: That's not really a "bypass", right? Still, an excellent example for the value of Referrer Policy. @detectify @0x6D6172696F
@mikewest @detectify @0x6D6172696F well. Same amount of user interaction, form values sent cross-domain. What's the definition of a bypass?
@avlidienbrunn: Eh. You're right, it's a bypass. :) It's narrower than the original claims, but totally valid. @detectify @0x6D6172696F
@mikewest @detectify @0x6D6172696F agreed, my bad
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.