Let me back the truck up. Today, for web-compat, <script> by default sends cookies, allowing websites to include secret, authed data 1/
we should just say that we provide no sugar for cross-origin credentials for *modules* (and that you'll need to use low-level primitives 11/
-
-
like Service Worker if you really want to shoot yourself in the foot). F.p.toString is one possible vector of the above vuln 12/
-
but basically anything that lets you hook into JS comings-and-goings is potentially subject to this kind of vuln. 13/13
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.