Skip to content
This repository was archived by the owner on Apr 30, 2026. It is now read-only.
This repository was archived by the owner on Apr 30, 2026. It is now read-only.

Cross domain issue with v1.1.0 #31

Description

@EchoDev

Cross domain CSS shows as vulnerable on first load. I'm not able to reproduce this consistently. Best way to reproduce this is by click on a link and open up the page in a new tab.

https://i.imgur.com/FK5KRFp.png

After an F5 everything is fine again. Weirdly enough the addon says there are 4 elements detected so it does detect the 4 sheets.

Steps to reproduce in some cases:

  1. Make sure CSS Exfil Protection extension is enabled
  2. Close all tabs with the test page
  3. Open the following link in a new tab https://www.mike-gualtieri.com/css-exfil-vulnerability-tester

Expected result:
Page shows browser is not vulnerable

Actual result:
Page says browser is vulnerable for cross domain CSS

Console log:

Not Vulnerable Test: 1
Vulnerable Test: 2
Not Vulnerable Test: 3
Vulnerable Test: 4

Tested on Firefox 79 and 80

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions