Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Add Content Security Policy to Dweets
See original GitHub issueCurrently, it’s possible to write a dweet that pulls in resources from outside sources (scripts, images, videos, etc).
A content security policy (CSP) can be used to block external resources from being loaded on dweet pages (//dweet.dwitter.net/id/####/ - the inner page of the iframe).
This would block dweets from pulling in external resources, which can be used as a means of bypassing the 140 byte limit or to execute cross-site request forgeries.
Making this change does come with one caveat, which is that it would break any existing dweets that make use of external resources. Not to pick on cantelope specifically, but here are some of his dweets as examples:
Issue Analytics
- State:
- Created 6 years ago
- Reactions:6
- Comments:11 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@atesgoral For example, a dweet containing the following snippet could be used to force users to log out of the site:
This is completed now, but see #367 for some remaining issues. Closing