lweichselbaum
commented
7 years ago Absolutely, I'll look into it and hope to be able to commit the json files tomorrow.
Closed april closed 7 years ago
lweichselbaum
commented
7 years ago Absolutely, I'll look into it and hope to be able to commit the json files tomorrow.
Arinerron
commented
1 year ago I wish some of these had "citations" or links for evidence that they host jsonp files...
lweichselbaum
commented
1 year ago We discussed this, but decided to not disclose the exact jsonp endpoint parameters. Our goal was to show in [1] that a majority of host allowlist CSPs contain at least one jsonp endpoint (or a domain hosting angularjs, etc) that would allow for a trivial CSP bypass. Making exploitation easier was a non goal. Since these endpoints were found and verified in 2016 it is likely that many of them don't exist anymore.
[1] https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/45542.pdf
Hello hello! Would it be possible to move the whitelists to external json files, instead of having them in the code? It would make it much easier for other projects that might use the data to consume. :)
Thanks so much!