• tal@lemmy.today
    link
    fedilink
    English
    arrow-up
    22
    arrow-down
    1
    ·
    6 months ago

    Not an area I’m familiar with, but this user says no:

    https://news.ycombinator.com/item?id=40918052

    lashkari 5 hours ago | prev | next [–]

    If it’s really accessible from *.google.com, wouldn’t this be simple to verify/exploit by using Google Sites (they publish your site to sites.google.com/view/<sitename>)?

    DownrightNifty 5 hours ago | parent | next [–]

    JS on Google Sites, Apps Script, etc. runs on *.googleusercontent.com, otherwise cookie-stealing XSS >happens.