| ▲ | tick_tock_tick 16 hours ago | ||||||||||||||||||||||
The issue is everyone loves to have everything fronted by a single domain. Most of xss is because of this basic flaw. All of this could have been avoided if discord didn't run their API docs through discord.com | |||||||||||||||||||||||
| ▲ | __float 16 hours ago | parent | next [-] | ||||||||||||||||||||||
It's a bit surprising they did that, to be honest. I work at a similarly-sized, HN-popular tech company and our security team is very strict about less-trusted (third party!!) code running on another domain, or a subdomain at the very least, with strict CSP and similar. But in the age of AI, it seems like chasing the popular thing takes precedence to good practices. | |||||||||||||||||||||||
| ▲ | joshdavham 12 hours ago | parent | prev | next [-] | ||||||||||||||||||||||
Thanks for this comment tick_tock :) After reading this, I did some research and learned a lot. I never really considered that, by including many things under the same domain, that you're increasing your blast radius w.r.t security vulernabilites. Thanks for that | |||||||||||||||||||||||
| ▲ | 8 hours ago | parent | prev | next [-] | ||||||||||||||||||||||
| [deleted] | |||||||||||||||||||||||
| ▲ | staticassertion 12 hours ago | parent | prev [-] | ||||||||||||||||||||||
This is what it really comes down to. Browsers are built around origins as the major security boundary. When you use a separate origin, safety comes for free. | |||||||||||||||||||||||
| |||||||||||||||||||||||