I’d like to shift Chrome’s XSS Auditor to block-by-default: https://groups.google.com/a/chromium.org/forum/m/#!topic/blink-dev/aZsNygF84JM … WDYT, Internets?
more seriously: I think this increases detectability of xss filter blocks - no huge issue, but potentially name/userid oracle
-
-
(as far as I've seen, the mitigating factor is usually that the script contains JSON, and comma terminates scripts for XSS filter)
-
but this is random chance, and if some site decides to put some kind of PIN first in some inline JSON script, that site is screwed
End of conversation
New conversation -
-
-
: I think we ought to close the holes where a blocked page is distinguishable from any other cross-origin page. I only know of one.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
: There are probably several, but that seems like a tractable problem.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.