A_A

> > For smaller servers (eg the personal own server), maybe it would be secure to allow serving user-created applications. However, even there, if you eg use the current CSS...

> Does it only apply to the default CSS deployment where the OIDC Provider and the Resource Server are on the same origin? For example, I run two separate CSS...

> This looks like a [same origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy) issue? Exactly. This issue is about how we handle this with html files hosted on a pod, which thus share the domain....

> For example, if people self-host solid apps (SPA / PWA), they should not allow anyone they don't trust to host their apps in the same storage. I would most...

I've just learned that also [svg files can execute javascript](https://developer.mozilla.org/en-US/docs/Web/SVG/Element/script). For instance, if following file was public on a pod and the user navigates to `pod.example.org/malicious.svg`, the script will execute:...

I think I'd prefer to add the `Content-Disposition: attachment` header (as suggested in the initial issue). If we return text/plain, then we'd lose some information and some applications will probably...

I've created a PR (#598 ) that would add following security consideration: > Servers are encouraged to apply security measures when serving user-created files. Multiple agents can create files on...

Yes, can be closed

Looks good to me. Depending on how you are able to deal with it I would consider to enable "private vulnerability reporting". If a security issue is public, everyone can...

> a good reminder why we moved to dpop rather than using cookies. I've written this exploit code with NSS in mind, so this one relies on cookies to load...