@mathias basically every single Twitter, Facebook, and Gmail link .... right?
-
-
-
@WebReflection Gmail seems safe. Twitter and Facebook are still vulnerable to this, it seems. - 2 more replies
New conversation -
-
-
@Stilldabomb@Freerunnering Hence the open WebKit bug about it ;)Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@Stilldabomb@Freerunnering Bug links are at the bottom of the pageThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@Cinsoft Same problem with unknown named targets. +
@WebReflectionThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@Cinsoft “Leave it off completely” is the only sensible advice. Named targets are just as bad, framesets or not. +
@WebReflectionThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
@mathias hm, it doesn't work with different origins. -
@abozhilov It does! Access to `window` is enough to overwrite `window.location` and redirect. You can’t access `window.document` though.
End of conversation
New conversation -
-
-
-
@NO_BOOT_DEVICE This is not about XSS, though. There is a cross-origin example showing the opened page triggering navigation. +@thegrugq
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
JavaScript, HTML, CSS, HTTP, performance, security, Bash, Unicode, i18n, macOS.