I’d like to shift Chrome’s XSS Auditor to block-by-default: https://groups.google.com/a/chromium.org/forum/m/#!topic/blink-dev/aZsNygF84JM … WDYT, Internets?
(as far as I've seen, the mitigating factor is usually that the script contains JSON, and comma terminates scripts for XSS filter)
-
-
but this is random chance, and if some site decides to put some kind of PIN first in some inline JSON script, that site is screwed
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.