|
|
|
|
|
|
by nertzy
2596 days ago
|
|
|
Yes, this is why developers should use URI-building libraries instead of direct string manipulation to modify URIs. If I visit an HTML page with a link to “.evil.com/people/123” and click on it, the user agent won’t append “.evil.com” to the hostname. You’d instead get something like “https://api.hotstartup.com/.evil.com/people/123” which would be safe (if not broken). |
|
|