1. 33
  1.  

  2. 9

    Only tangentially related, but… Running a social networking service for people in information security seems like it would be a total nightmare.

    1. 18

      Doesn’t seem too bad? You’re going to get some vulnerability reports, but at least the reporters are well-meaning professionals. E.g. hosting a cryptocurrency exchange would be a lot more exciting…

    2. 6

      In this case, the form-action directive would have stopped the attack. It is common to forget it when writing a CSP, especially because the fact that it is not affected by default-src is not common knowledge.