Write-up of CVE-2015-1287 and CVE-2015-5826: Data exfiltration abusing CSS + UTF-16, one of my greatest findings! http://blog.innerht.ml/cross-origin-css-attacks-revisited-feat-utf-16/ …
-
-
Replying to @filedescriptor
@filedescriptor “BOM is not an issue since it is discouraged according to the Unicode standard” — [citation needed]1 reply 0 retweets 0 likes -
Replying to @mathias
@mathias@filedescriptor Common claim from those who built code that pukes on the UTF-8 bom http://unicode.org/faq/utf_bom.html#bom5 … https://tools.ietf.org/html/rfc36292 replies 0 retweets 0 likes -
Replying to @ericlaw
@ericlaw Yeah, but as far as I know the Unicode *standard* itself doesn’t discourage the use of BOM anywhere. +@filedescriptor1 reply 0 retweets 1 like -
Replying to @mathias
@mathias@ericlaw@filedescriptor Definitely discouraged as a ZWNBSP. And strongly hinted that it is a last resort to indicate encoding.2 replies 0 retweets 1 like -
Replying to @FakeUnicode
@FakeUnicode Strongly hinted where? +@ericlaw@filedescriptor1 reply 0 retweets 0 likes -
Replying to @mathias
@mathias@ericlaw@filedescriptor For example: http://unicode.org/faq/utf_bom.html …pic.twitter.com/dSNq1hohyX
2 replies 0 retweets 0 likes -
Replying to @FakeUnicode
@mathias@ericlaw@filedescriptor Official charts kinda vague about it too. They don't say "indicate" but "detect".pic.twitter.com/xCzcWtMwxi
1 reply 0 retweets 1 like -
Replying to @FakeUnicode
@FakeUnicode@ericlaw@filedescriptor For the record, I know I’m being nitpicky but I honestly want to know :)1 reply 0 retweets 0 likes -
Replying to @mathias
@mathias@ericlaw@filedescriptor Are the official charts not in the standard?1 reply 0 retweets 0 likes
@FakeUnicode Like you said, the charts are vague about it and don’t discourage it as an encoding indicator. +@ericlaw @filedescriptor
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
JavaScript, HTML, CSS, HTTP, performance, security, Bash, Unicode, i18n, macOS.