Yes, this isn't even the first cross-domain leakage attack on iframes using CSS. [0] There were similar issues with how hit testing was implemented for `document.elementFromPoint()`[1], and probably tons of other things I'm forgetting.

Ideally cross-origin framing would have been disallowed by default but frames were added to the spec before people spent a lot of time thinking about the same-origin-policy implications.

[0]: https://www.contextis.com/resources/white-papers/pixel-perfe... [1]: http://blog.saynotolinux.com/blog/2014/02/05/whats-that-smel...

That's similar to what Kaminsky proposed with Iron Frame[0], but obviously it'd have to be opt-in. Applying Iron Frame-like rendering to all iframes would break a lot of content.

[0]: https://dankaminsky.com/2015/08/09/defcon-23-lets-end-clickj...

Not a great sign when they have only a handful of pages and still manage to have super basic XSS issues.

I don't believe so. emacs-slack uses their official OAuth2 + Websocket integration https://github.com/yuya373/emacs-slack#how-to-get-token-the-...

This is, incidentally, an argument about how a well-designed system like emacs can make writing a truly-native app easy: so easy that some random guy was able to take the API and write a client for a text editor (granted, the greatest & best text editor the world has ever known …).

If it's so hard to write native macOS, Windows, gtk+ or Qt apps — maybe that's a fault of those development environments. Granted, 'display sequences of text, optionally with some images' is kinda in emacs's wheelhouse.

It isn't hard to write native apps, but if you already have a web app, wrapping it in Electron is a lot cheaper.

Correct. emacs-slack uses WebSockets and Slack's Real-Time Messaging API.

Generally if you have a CSP without `unsafe-inline` you'd have have a policy that would restrict all subresources (`default-src 'none'`,) then punch holes in the policy by resource type (`img-src`, `script-src`, etc.)

For ex. if you have a proper CSP with `default-src 'none'` you should be fine so long as you didn't allow `*` or `unsafe-inline` in any of the other `<X>-src` directives.

They shouldn't. These examples all rely on being able to cause an image load on a host the attacker controls if the CSS rule is applied. reddit blocks stylesheets that reference off-site resources. See https://github.com/reddit-archive/reddit/blob/master/r2/r2/l...

> The screenshot of their app on the iOS App Store shows a bunch of credible logos of their mentions, but then quotes "VyperVPN is the best service on the market" as coming from a reddit comment by a random user. Questionable tactic.

That's referring to reddit the company, and it was quoting one of reddit's sysadmins: https://www.goldenfrog.com/blog/reddit-gives-every-employee-...

Yep, you can see that Ubuntu has been backporting security fixes: https://launchpad.net/ubuntu/+source/curl/7.47.0-1ubuntu2.1

Interesting! I haven't spent much time looking at OS X internals, but I'll remember this for next time. Have any resources for other OS X quirks like this?

>i've never seen the 'my' keyword before, what exactly is this language?

It's Perl: http://perldoc.perl.org/functions/my.html