If it's really accessible from \*.google.com, wouldn't this be simple to verify/... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		lashkari on July 9, 2024 \| parent \| context \| favorite \| on: Google Chrome has an API accesible only from .goo... If it's really accessible from .google.com, wouldn't this be simple to verify/exploit by using Google Sites (they publish your site to sites.google.com/view/<sitename>)?

DownrightNifty on July 9, 2024 [–]

JS on Google Sites, Apps Script, etc. runs on *.googleusercontent.com, otherwise cookie-stealing XSS happens.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact