New write-up by @avlidienbrunn: CSP: bypassing form-action with reflected XSS http://labs.detectify.com/2016/04/04/csp-bypassing-form-action-with-reflected-xss/ …pic.twitter.com/lW4uKFgc4E
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
@mikewest @detectify @0x6D6172696F well. Same amount of user interaction, form values sent cross-domain. What's the definition of a bypass?
@avlidienbrunn: Eh. You're right, it's a bypass. :) It's narrower than the original claims, but totally valid. @detectify @0x6D6172696F
@mikewest @detectify @0x6D6172696F agreed, my bad
@avlidienbrunn: Perhaps `form-action` should force POST. *shrug* Something to look into. @detectify @0x6D6172696F
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.