A_A

I've tried to replicate it with CSS+mashlib, however it seems not exploitable there. A request there results with 401, my **guess** is because no authorization header is sent and CSS...

@bourgeoa Is there any further information I could provide to help resolving this issue? I understand that this is a bigger change and thus needs time, just want to be...

> I don't fully understand the cookie settings yet, but my guess is that cross-origin they are not included in the requests. My guess was wrong, the cookie is set...

Hi @zg009 In general, I think there are two problems. (1) that NSS allows cookie authentication, so any html/etc file that is stored on the pod can make authenticated requests...

> I am making the assumption here that this flaw occurs only under the condition that Alice (victim) gave Eve (malicious actor) append access to her pod on NSS and...

> My main opinion about this is that this is something that needs to be solved on the level of a Solid specification. I agree that it should be a...

If you have the same problem, please simply upvote the issue. It's a bit annoying to receive emails for every "Same". Thank you!

Hi, congrats for getting it to work together! :ok_hand: Regarding the dependency / library question: I think it would make sense to _not_ include flask and solid-oidc-client as dependencies, but...

This does not seem to work anymore, for instance https://duolingo-lexicon-prod.duolingo.com/api/1/search?exactness=1&languageId=en&query=solos&uiLanguageId=es redirects to duolingo.com

I've moved the XSS vulnerability to another issue, so this one can focus on the security policy