Validate yo' message origins.https://twitter.com/almroot/status/836874262900326401 …
-
-
-
paypal had a bug a while ago where they only checked whether origin *contains* the permitted domain
1 reply 0 retweets 1 like -
if (event.origin.match(/paypalobjects\.com/i) || event.origin.match(/paypal\.com/i) || config.devMode || [...]) {
1 reply 0 retweets 0 likes -
Replying to @tehjh1 reply 0 retweets 0 likes
Replying to @ericlaw
I guess the lesson here is that APIs should let the developer specify a security policy instead of letting the developer do it?
5:48 AM - 1 Mar 2017
0 replies
0 retweets
0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.