[Service Workers] New APIs = New Vulns = Fun++ https://sirdarckcat.blogspot.com/2015/05/service-workers-new-apis-new-vulns-fun.html …
@frgx @sirdarckcat @jaffathecake : in these cases the URL is still wrong, no?
I guess XSS mitigation should now include "flush caches".
-
-
@slightlylate@frgx@jaffathecake yes, if the referrer isn't present, then the CSRF check fails too -
@sirdarckcat@frgx@jaffathecake : the attack needs CORS set on the content to display, which'd allow XHR from page to do same - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
& Web Standards TL; Blink API OWNER
Named PWAs w/
DMs open. Tweets my own; press@google.com for official comms.