Hacker News
new
|
past
|
comments
|
ask
|
show
|
jobs
|
submit
login
MarsIronPI
5 days ago
|
parent
|
context
|
favorite
| on:
We pwned X, Vercel, Cursor, and Discord through a ...
Shouldn't the ignoring of scripting be done at the user agent level? Maybe some kind of HTTP header to allow sites to disable scripts in SVG ala CORS?
demurgos
4 days ago
|
next
[–]
It's definitely a possible solution if you control how the file are displayed. In my case I preferred the files to be safe regardless of the mechanism used to view them (less risk of misconfiguration).
reply
antiloper
5 days ago
|
prev
[–]
Content-Security-Policy: default-src 'none'
reply
Guidelines
|
FAQ
|
Lists
|
API
|
Security
|
Legal
|
Apply to YC
|
Contact
Search:
