Talk:DOM clobbering/GA1

GA Review
The edit link for this section can be used to add comments to the review.''

Reviewer: Elli (talk · contribs) 21:18, 19 February 2024 (UTC)

Claiming this review. Will go through the article in the next few days. Elli (talk &#124; contribs) 21:18, 19 February 2024 (UTC)


 * @Elli are you going to work on this? RoySmith (talk) 16:57, 4 March 2024 (UTC)
 * Sorry, just been caught up with a lot of stuff the past few weeks and haven't gotten the chance to sit down for an in-depth review. I am still planning to do this soon. Elli (talk &#124; contribs) 17:31, 4 March 2024 (UTC)

History

 * do you have secondary sources for this?
 * I've added another source :)


 * Third paragraph relies mainly on primary sources and a corporate blog post; is there anything better that could be used here?
 * The blog post is a guest post by Gareth Heyes, who is a subject matter expert and PortSwigger is a fairly well-known (in the field) web-security-research-oriented company that regularly features posts from experts on their blog. I personally would consider that source to be fairly reliable.
 * I'll try to see if I can get any reporting on the rest, however, this might be a bit difficult since such proposals rarely make it into traditional RS


 * In general, this section might belong below the "Vulnerability" section? The content here (especially in the first paragraph) doesn't make a lot of sense if you don't understand what the vulnerability is.
 * Done :)

I am very sorry for the delay in starting this review. I'll get to the other sections soon. Elli (talk &#124; contribs) 19:16, 4 March 2024 (UTC)


 * No issues, feel free to take your time :) Sohom (talk) 15:12, 5 March 2024 (UTC)

Vulnerability

 * Looks good, though could you point out the particular pages of "Code-Reuse Attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets" that verify the relevant content?

Example

 * Specifying the page here would also be good.

Threat model

 * that model hasn't been explained and isn't linked here.
 * The next sentence goes into the highlights of the model that are relevant to the article. Describing the whole model wouldn't be relevant to the page and I don't think we have a article for this specific model. (Hopefully once we have better coverage of this subject area, we should be able to tease out a article for it)

Defenses

 * not sure that a comment on GitHub is sufficient to establish this.
 * Added cite


 * Maybe expand this section a bit more in general? Proper sanitation would completely mitigate this, right? (Even if no libraries exist to do so.) snyk at least indicates that using proper scoping can help and is an easy mitigation; that probably should be mentioned.
 * Snyk is being a bit optimistic here. However, there does seem to be some scope for expansion.

Lead

 * I'd change the wording here to be a bit clearer, such as -- more concise.


 * again I'd want a better cite in the body for this than a comment on GitHub.
 * Ditto

Overall

 * This article is in pretty decent shape. Would suggest adding more specific pagenumbers to the sources (such as with rp or similar) to make verification easier. (If you do not want to do that, I would appreciate you providing the locations to me at least for easier verification.)

I've finished the initial review. I am so sorry for the long delay in getting to all of this. Elli (talk &#124; contribs) 20:04, 9 March 2024 (UTC)