Another CSP nonce bypass, this time for reflected XSS: http://sebastian-lekies.de/csp/attacker2.php …. I will collect more bypasses here: https://goo.gl/t5VLIX
-
-
yea, srcdoc
-
but that's in attr value, no?
-
ohh sorry. I misread your message. You are right, that isn't useful.
-
might be hard to implement(?) though. Nonce=HMAC with nonce+attr names?
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.