mccDec 5

lolsob. Developer attempts to replicate liquid glass in CSS and in the process accidentally discovers a novel and rather serious browser vulnerability

https://lyra.horse/blog/2025/12/svg-clickjacking/

"CSS hack accidentally becomes regular hack"

( via @citrusui )

SVG Filters - Clickjacking 2.0

A novel and powerful twist on an old classic.

lyra's epic blog
Show threadAdam DavisDec 5
@mcc @citrusui
Are there legitimate uses for iframes where the domain of the URL shown in the iframe is different than the site serving it? It seems like they're often used in questionable ways.
Show threadRebaneDec 5
@AdamDavis @mcc @citrusui yes, for example you might want to embed a youtube video or a map widget on a different site
Show threadvriska, thief of light Dec 5
@rebane2001 @AdamDavis @mcc @citrusui also payment forms, which are an example of a case where you both very much want them to be embedded and also very much don't want the parent site to be able to do anything
Show threadSamantaz Fox
@leo @rebane2001 @AdamDavis @mcc @citrusui I don't get why people want so much to use iframes for payment. What's wrong with redirecting to the payment processor's page?
Dec 6 at 4:55pmWeb
Show threadvriska, thief of light Dec 6
@SamantazFox @rebane2001 @AdamDavis @mcc @citrusui it's well established that literally any extra step in the payment process measurably decreases revenue
Show threadSamantaz FoxDec 6
@leo @rebane2001 @AdamDavis @mcc @citrusui Oh, really? Or is that some shitpost?
Show threadRebaneDec 6
@SamantazFox @leo @AdamDavis @mcc @citrusui yep, that's why one-click checkout is a thing