Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://gleasonator.com/objects/3b195fec-a9cb-43df-9a83-fc7f9f3f8d2a">Alex Gleason (alex@gleasonator.com)'s status on Monday, 29-May-2023 23:04:52 JST</a><a href="https://gleasonator.com/users/alex" title="alex@gleasonator.com"><img src="https://gnusocial.jp/avatar/1712-48-20220726020642.webp" width="48" height="48" alt="Alex Gleason" style="position: absolute; left: 0; top: 0;">Alex Gleason</a><div><a href="https://rdrama.cc/objects/2e29c96c-810f-4fdb-b3a9-ea048361f74f" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/1002" title="mint@ryona.agency"></a></li><li><a href="https://gnusocial.jp/user/1291" title="lain@lain.com">on-lain ✔ᵛᵉʳᶦᶠᶦᵉᵈ</a></li><li><a href="https://gnusocial.jp/user/47280" title="crunklord420@rdrama.cc">CrunkLord420</a></li></ul></div></section><article><a href="https://rdrama.cc/users/crunklord420">@crunklord420</a> <a href="https://ryona.agency/users/mint">@mint</a> <a href="https://lain.com/users/lain">@lain</a> <a href="https://poa.st/users/graf">@graf</a> You're misunderstanding the problem. The issue is that the mime detection is too good. We get back application/javascript instead of text/plain for uploaded JS files, leading to injection possibility without needing to bypass CSP in any way.</article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/1599447#notice-3154699">In conversation</a><time datetime="2023-05-29T23:04:52+09:00" title="Monday, 29-May-2023 23:04:52 JST">Monday, 29-May-2023 23:04:52 JST</time> <span>from <span><a href="https://gleasonator.com/objects/3b195fec-a9cb-43df-9a83-fc7f9f3f8d2a" rel="external" title="Sent from gleasonator.com via ActivityPub">gleasonator.com</a></span></span><a href="https://gleasonator.com/objects/3b195fec-a9cb-43df-9a83-fc7f9f3f8d2a">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Monday, 29-May-2023 23:04:52 JSTAlex Gleason
in reply to
@crunklord420 @mint @lain @graf You're misunderstanding the problem. The issue is that the mime detection is too good. We get back application/javascript instead of text/plain for uploaded JS files, leading to injection possibility without needing to bypass CSP in any way.
In conversationMonday, 29-May-2023 23:04:52 JST from gleasonator.compermalink

Public

Embed Notice

HTML Code

Corresponding Notice