google / csp-evaluator

https://csp-evaluator.withgoogle.com
Apache License 2.0
335 stars 46 forks source link

Remove appcenter.intuit.com #45

Closed ccloes closed 2 years ago

ccloes commented 2 years ago

This endpoint has been patched and is no longer vulnerable.

ccloes commented 2 years ago

@lweichselbaum is this something that you would review?

ddworken commented 2 years ago

While that specific endpoint no longer works, it looks like there are still other jsonp endpoints on appcenter.intuit.com. For example, https://appcenter.intuit.com/Connect/ShowIntroMessageJSONP?callback=alert(0);foo. Before removing appcenter.intuit.com from this list we'd want to ensure there are no more jsonp endpoints on appcenter.intuit.com.

ccloes commented 2 years ago

Let me get back to the team and report back. Thank you for your reply.

ccloes-intuit commented 2 years ago

@ddworken We have gone through that endpoint and can confirm that ShowIntroMessageJSONP is no longer vulnerable as well. We have queried for all other JSONP endpoints and show no others (than these two). Thank you for pointing it out.

Please let us know if there is anything else you need from us on this.