I’d like to shift Chrome’s XSS Auditor to block-by-default: https://groups.google.com/a/chromium.org/forum/m/#!topic/blink-dev/aZsNygF84JM … WDYT, Internets?
-
-
Replying to @mikewest
but then I can't make adblocking links anymore! like http://www.nytimes.com/?adblock=%3Cscript%20type%3D%22text%2Fjavascript%22%3Evar%20googletag%3Dgoogletag%7C%7C%7B%7D%3Bgoogletag.cmd%3Dgoogletag.cmd%7C%7C%5B%5D%2Cfunction()%7Bvar%20t%3Ddocument.createElement(%22script%22)%3Bt.async%3D!0%2Ct.type%3D%22text%2Fjavascript%22%3Bvar%20e%3D%22https%3A%22%3D%3Ddocument.location.protocol%3Bt.src%3D(e%3F%22https%3A%22%3A%22http%3A%22)%2B%22%2F%2Fwww.googletagservices.com%2Ftag%2Fjs%2Fgpt.js%22%3Bvar%20o%3Ddocument.getElementsByTagName(%22script%22)%5B0%5D%3Bo.parentNode.insertBefore(t%2Co)%7D()%3B%3C%2Fscript%3E … vs http://www.nytimes.com/
1 reply 0 retweets 1 like -
I thought adblock links were one of Chrome's main features :(
1 reply 0 retweets 0 likes -
more seriously: I think this increases detectability of xss filter blocks - no huge issue, but potentially name/userid oracle
3 replies 0 retweets 0 likes -
(as far as I've seen, the mitigating factor is usually that the script contains JSON, and comma terminates scripts for XSS filter)
1 reply 0 retweets 0 likes
but this is random chance, and if some site decides to put some kind of PIN first in some inline JSON script, that site is screwed
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.