You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The current explanation for why *.googleapis.com is dangerous is the following:
ajax.googleapis.com is known to host JSONP endpoints and Angular libraries which allow to bypass this CSP.
I find this weirdly specific, since this rule allows a much broader point of entry than ajax.googleapis.com: storage.googleapis.com allows anyone to upload and serve any file, without any checks or restrictions, for example: https://storage.googleapis.com/bg-common/samples/evil.js
I believe the warning would be better worded like this
storage.googleapis.com allows anyone to upload and serve any file, without any checks or restrictions.
This makes it more universal as it's not related to either angular or JSONP, which seem more niche and not necessarily relevant to the person reading
The text was updated successfully, but these errors were encountered:
The current explanation for why
*.googleapis.comis dangerous is the following:I find this weirdly specific, since this rule allows a much broader point of entry than
ajax.googleapis.com:storage.googleapis.comallows anyone to upload and serve any file, without any checks or restrictions, for example: https://storage.googleapis.com/bg-common/samples/evil.jsI believe the warning would be better worded like this
This makes it more universal as it's not related to either angular or JSONP, which seem more niche and not necessarily relevant to the person reading
The text was updated successfully, but these errors were encountered: