undefined | Better HN

0 pointssolardev1y ago0 comments

That's probably a content security policy or CSS thing. Just tried it on a site (not HN, because of content security) and it worked fine.

0 comments

4RealFreedom1y ago

I've tried a few different sites and I can't make it happen. I'll keep trying.

solardevOP1y ago

See https://share.cleanshot.com/SFfm7sGZJQyJlwzmBgwr for an example

4RealFreedom1y ago

Wouldn't banks have content security setup?

solardevOP1y ago

Maybe? You'd hope, but who knows. Still easy to just replace the image with plain text in the HTML, or a data URL (if allowed). Or put an iframe in there. Point is, if they control the HTML they can do pretty much anything.

Edit: Just tried it with Chase, Merrill Lynch, Citibank, Bank of America, and Wells Fargo. Only Wells Fargo had a CSP in place to prevent this. But even Walls Fargo let you just inject a data URL image.

vednig1y ago

Systems that these banks have provided are provided for feasible access to your account.

They are not in any way interested inn tightening of fortgaurding their portal's rendering, until it ends up causing them to give more money i.e. bad for business.

j / k navigate · click thread line to collapse

0 comments

4RealFreedom1y ago

I've tried a few different sites and I can't make it happen. I'll keep trying.

solardevOP1y ago

See https://share.cleanshot.com/SFfm7sGZJQyJlwzmBgwr for an example

4RealFreedom1y ago

Wouldn't banks have content security setup?

solardevOP1y ago

vednig1y ago

Systems that these banks have provided are provided for feasible access to your account.

They are not in any way interested inn tightening of fortgaurding their portal's rendering, until it ends up causing them to give more money i.e. bad for business.

j / k navigate · click thread line to collapse