Change Details

- Browsed around in Firefox, Safari and Chrome looking for console warnings. Interacted with various Javascript behaviors. Enabled Quicksand. - Disabled all the framebusting, launched a clickjacking attack, verified that each layer of protection is individually effective. - Verified that the XHProf iframe in Darkconsole and the PHPAST frame layout work properly. - Enabled notifications, verified no complaints about connecting to Aphlict. - Hit __DEV__ mode warnings based on the new data attribute. - Tried to do sketchy stuff with `data:` URIs and SVGs. This works but doesn't seem to be able to do anything dangerous. - Went through the Stripe and Recaptcha workflows. - Dumped and examined the CSP headers with `curl`, etc. - Added a raw <script> tag to a page (as though I'd found an XSS attack), verified it was no longer executed.

- Browsed around in Firefox, Safari and Chrome looking for console warnings. Interacted with various Javascript behaviors. Enabled Quicksand. - Disabled all the framebusting, launched a clickjacking attack, verified that each layer of protection is individually effective. - Verified that the XHProf iframe in Darkconsole and the PHPAST frame layout work properly. - Enabled notifications, verified no complaints about connecting to Aphlict. - Hit `__DEV__` mode warnings based on the new data attribute. - Tried to do sketchy stuff with `data:` URIs and SVGs. This works but doesn't seem to be able to do anything dangerous. - Went through the Stripe and Recaptcha workflows. - Dumped and examined the CSP headers with `curl`, etc. - Added a raw <script> tag to a page (as though I'd found an XSS attack), verified it was no longer executed.

- Browsed around in Firefox, Safari and Chrome looking for console warnings. Interacted with various Javascript behaviors. Enabled Quicksand. - Disabled all the framebusting, launched a clickjacking attack, verified that each layer of protection is individually effective. - Verified that the XHProf iframe in Darkconsole and the PHPAST frame layout work properly. - Enabled notifications, verified no complaints about connecting to Aphlict. - Hit `__DEV__` mode warnings based on the new data attribute. - Tried to do sketchy stuff with `data:` URIs and SVGs. This works but doesn't seem to be able to do anything dangerous. - Went through the Stripe and Recaptcha workflows. - Dumped and examined the CSP headers with `curl`, etc. - Added a raw <script> tag to a page (as though I'd found an XSS attack), verified it was no longer executed.