I asked LLM to make a chromium security wiki based of the codebase :) its still learning.

@JayateerthaG Need to find someway of automating it currently I have to keep talking to the LLM :)

@JayateerthaG I'm bad at web design you can improve the style at otherwise I will brute force it with lots of theme options.

@rebane2001 For a same-origin element doesn't seem that bad the crashing does make it a very visible attack.

Bug write-up for "Google XSS part 2" :)

Firefox version:

@joaxcar Thanks please do provide feedback in reviews or hopefully will be on Firefox store soon :)

@joaxcar Good idea I should compare it against the alternatives to make sure it's existence is justified don't want a generic extension.

This post along with the link on that profile acts as confirmation of ownership for

@jduck I did look seems there's at least a check for CATEGORY_BROWSABLE not sure if its to the same filtering standard as chromium does but harder to test, may need to publish a google play app.

@rebane2001 I think the problem with this is that the copyright is for 2009 and in 2012 Google would at least use 2011 as the year.

@ma1 @noscript In the Chrome settings under "Site Settings" there's an option to control what sites can run JavaScript sadly not going to have all the features of NoScript but it's a start.

Bug write-up for "Miscellaneous" its got all the boring stuff like XSS on gstatic, my failed attempt with AI and Google open redirects. Although one did get $100 🦆

@rebane2001 @cocoh_23 It would have been fun to have an ID leak included even if "just" a random file in the users drive :/

@cocoh_23 Depends on the threat model its not an XS-Leak since its same-site if you assume a compromised renderer then its easy to abuse :) Cant test without a paid for GitHub service.

@cocoh_23 Seems you're trying to get *.pages.github.io site isolated. For the invite step maybe could be a login xsrf otherwise there's a bit of social engineering.

Some changes to the writeups page duck.css now has a lot more ducks used to just be the cursor which especially for mobile users was very misleading. 🦆 typoifier.css will no longer add typos to urls, email addresses or reward amounts to improve usability.