I’d like to shift Chrome’s XSS Auditor to block-by-default: https://groups.google.com/a/chromium.org/forum/m/#!topic/blink-dev/aZsNygF84JM … WDYT, Internets?
-
-
more seriously: I think this increases detectability of xss filter blocks - no huge issue, but potentially name/userid oracle
-
(as far as I've seen, the mitigating factor is usually that the script contains JSON, and comma terminates scripts for XSS filter)
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.