Open shhnjk opened 5 years ago
When Layered API increases, there maybe a case where Layered API could be used as a script gadget. And I think browser should provide a way for site owner block loading of std: scripts (e.g. std:virtual-scroller).
std:virtual-scroller
Just to be clear, I'm talking about an attack like following, where JS file is hosted within the browser and there's no way for website to block attacker from abusing that script. https://mksben.l0.cm/2018/05/cve-2018-5175-firefox-csp-strict-dynamic-bypass.html
When Layered API increases, there maybe a case where Layered API could be used as a script gadget. And I think browser should provide a way for site owner block loading of std: scripts (e.g.
std:virtual-scroller).Just to be clear, I'm talking about an attack like following, where JS file is hosted within the browser and there's no way for website to block attacker from abusing that script. https://mksben.l0.cm/2018/05/cve-2018-5175-firefox-csp-strict-dynamic-bypass.html