CORS won't do it, because it protects the response target, not the response sour... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		bzbarsky on July 16, 2019 \| parent \| context \| favorite \| on: Cracking My Windshield and Earning $10k on the Tes... CORS won't do it, because it protects the response target, not the response source. CSP would do the trick, though. The other fix is properly escaping things before sticking them in your markup.

runeks on July 17, 2019 [–]

> The other fix is properly escaping things before sticking them in your markup.

Or simply not displaying user data using a markup language with built-in remote code execution.

bzbarsky on July 17, 2019 | [–]

Well, yes, there are various levels of "thinking outside the box" here that could be applied.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact