bridiver
commented
8 years ago I couldn't get it to load test.com even when I tried to alter the CSP to allow it. Adding the username password made the entry invalid and it didn't work with just test.com, but calling parseInt on it seems like a good idea anyway
diracdeltas
in https://github.com/brave/browser-laptop/blob/aafa62a373b9bec7b669ced88dd36304410206e8/app/extensions/brave/js/about.js, devServerPort is untrusted input, so it should be validated.
ex: any page can do window.open("chrome-extension://mnojpmjdmbbfmejpflffifhffcmidifd/about-flash.html?devServerPort=foo@test.com/")
doesn't directly cause an issue thanks to CSP, it seems
thanks to Tavis Ormandy for the report