NDevTK
NDevTK
Currently no although for this attack it was not about local threats. It seems reasonable for something on the local lan range to be automatically allowed. (They can already spoof...
So for a local attacker assuming I remember correctly: DNS is unencrypted by default so it's possible to say googlers.com resolves your device. ARP is used to dermine what device...
Well if you're building the extension why not just put your own host in the code! But yeah there should be a UI to grant permission for a user provided...
Personally because I'm bad at web design I think using an allow list only controllable by the user is the fix. Can't use chrome.storage however otherwise get back to the...
Yeah if a dialog came up when clicking on the extension icon that said "Do you want to allow `origin` access to all websites" that would be fine.
COOP does not fully migrate attacks, it is still a defence since it stops attacks after the first complete navigation.
Interesting attack although an API should not be running untrusted code it would seem more useful to block usage of eval to prevent code execution in the first place. Of...
Nice find :)
I think the formatting should be done by what's parsing the CSV an integer makes sense for calculations.
Regarding `leak the closest http(s):// origin document's URL` shouldn't that be `leak the **initiators** closest http(s):// origin document's URL` due to the change in https://groups.google.com/a/chromium.org/g/blink-dev/c/qhl64uMLjGA/m/SiugtWfvBAAJ