Mathias Karlsson

icon indicating a website link https://twitter.com/avlidienbrunn

icon company %PDF <'>test icon location o icon location addasdsasa %PDF adsdasdasdsadsa asdsdsa

Results 4 comments of Mathias Karlsson

Rewrite getting current URL code

It will also fix the race that lead to the try{}catch(){} block in background.js (ugly).

The hostspoofing recommended fix is wrong

Example config: ``` server { listen 80; server_name example.com; location / { add_header x_host $host; add_header x_http_host $http_host; add_header x_server_name $server_name; return 200 'hello'; } } ``` Example request/response: ```...

The hostspoofing recommended fix is wrong

Something like this could work (using the `$validated` variable): ``` map $host $validated { default "example.com"; "cdn.example.com" "cdn.example.com"; "login.example.com" "login.example.com"; } server { listen 80; server_name *.example.com; location / {...

The hostspoofing recommended fix is wrong

@buglloc What about people using vuln code inside their default_server, or allow wildcard/regex for server names (https://stackoverflow.com/questions/9454764/nginx-server-name-wildcard-or-catch-all)? Having default server + explicit server_name values is just another way of whitelisting...