|
|
|
|
|
|
by jamespwilliams
1587 days ago
|
|
|
GitHub pages are served with Access-Control-Allow-Origin: *, so the SOP doesn’t apply. They also don’t set a CSP header, which opens up the opportunity to exfiltrate data by other means, e.g having the browser load an image on your.site/$password.jpg. |
|
|