Mathias Karlsson
Mathias Karlsson
It'll think that the "main domain" is "co.uk" and thus allow anything to be CSRF'd there. Thanks @fransrosen for pointing this out.
Currently I just reload the tab (this makes blocked POST requests valid), but there are many scenarios where this won't solve the issue.
Currently you can still do GET CSRF if you redirect the main window (navigate) to the URL. GET CSRF via images/other is still blocked though.
The code currently keeps track of the current URL by holding an array of tab object(s). This is because I didn't find any synchronous way to get the current URL...
aaaabbbblol bbbb lol
The recommendation for remediating host spoofing in https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md is wrong. The recommendation is currently to use `$host` instead of `$http_host`, which does not remediate the issue and in certain cases...
The code for checking if the extended element is framable doesn't make sure that the value is a string (alternatively; that the value checked is the same value that is...
When checking if an inserter function contains shadow DOM, the code expects the argument to be a string (argument is added as `innerHTML` on a new `html` tag). But many...