Daniel Veditz
Daniel Veditz
I have no idea, I didn't know that was possible! I don't see anything requesting or obviously requiring it in your manifest. Perhaps it's automatic for "experimental" addons? Maybe there's...
As a side note, Chrome does send `Sec-Fetch-Site: cross-site` with these redirected sub-resource requests, so internally the networking code does seem to know the correct same-site value of the request....
"Default" is an explicit value for the `same-site-flag` in the algorithms and storage model defined in Section 5. It's not a part of the `Set-Cookie:` syntax. Unfortunately it looks like...
> What is the alternative, leave injection attacks at 3rd in OWASP 10 ? Content-security-policy already does a fantastic job of preventing injection XSS, but only if you use it...
> So the objection to TT is maybe: > " mozilla does not think it's worth securing web frameworks only vanilla JS APIs " ? That's not even remotely close...
TT can require you to sanitize inputs to sinks, but you have to provide your own sanitizing routines The Sanitizer API gives you a sanitizer but can't make you use...
I added some information to https://bugzil.la/1746517 on how to test that flow in Firefox
> Over the past 30 days we've seen over 344,000 people hit this flow, which seems like a lot. Maybe we should consider doing something here? Does that represent a...
See also https://bugzilla.mozilla.org/show_bug.cgi?id=1616137
> since we have done it twice in the past Technically once, with two different but related names. I believe at the time Mike looked for cookies using those specific...