I deleted some toots on CVE-2020-6519, these were incorrect. Upon closer inspection, this turned out to be a minor issue, only relevant in rare edge cases. An important part is missing from the description: inline scripts have to be allowed.


That's the real reason why perimeterx.com/tech-blog/2020/ lists some sites being vulnerable while others are "safe": all these sites allow inline scripts in their CSP. Yet if attackers can run scripts on the target domain, they already can do pretty much anything they want.

· · Web · 0 · 0 · 0
Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.