I'm saying some people believe that it's important to make "authenticated modules" a thing. Which is crazy.
-
-
Given that, when designing <script type="module">, we should certainly *default* away from sending cookies across origins, and maybe 10/
-
we should just say that we provide no sugar for cross-origin credentials for *modules* (and that you'll need to use low-level primitives 11/
-
like Service Worker if you really want to shoot yourself in the foot). F.p.toString is one possible vector of the above vuln 12/
-
but basically anything that lets you hook into JS comings-and-goings is potentially subject to this kind of vuln. 13/13
End of conversation
New conversation -
-
-
Factcheck: we support nonce so this is preventable.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.