|
|
|
|
|
|
by epanastasi
3176 days ago
|
|
|
Thinking about mitigation here... It appears that some of the included scripts have crossorigin="anonymous" script tags. Wouldn't this prevent authenticated access to to the circleCI domain, aka preventing the creation of api tokens or access to the API using the logged in browser context for any script loaded off the circleci domain? Also, not that they do so, but would Access-Control-Allow-Origin set to something other than * prevent 3rd party requests to the API for scripts loaded from 3rd party domains. Also curious if anyone has written a JS library that patches XMLHttpRequest.prototype to audit exfiltration of data in the DOM. |
|
|