Comment by lashkari
6 months ago
If it's really accessible from *.google.com, wouldn't this be simple to verify/exploit by using Google Sites (they publish your site to sites.google.com/view/<sitename>)?
6 months ago
If it's really accessible from *.google.com, wouldn't this be simple to verify/exploit by using Google Sites (they publish your site to sites.google.com/view/<sitename>)?
JS on Google Sites, Apps Script, etc. runs on *.googleusercontent.com, otherwise cookie-stealing XSS happens.