because the web is broken in every way imaginable for no reason and should have been discontinued about 14 years ago. but this is really old, now my favorite is dns rebinding [1]. this has to be one of the most beautiful examples of how core web devs do not understand ANYTHING. every single thing they have ever done is a misconception. not a single web dev related disclosure for the last 20 years has given me insight on how to design secure systems; it's always just a thing that would not exist in any alternate design.<p>1. <a href="https://github.com/mpgn/ByP-SOP">https://github.com/mpgn/ByP-SOP</a>
Interesting that the issue was solved in 2011 but presumably, the risk that someone is still using a 12+ year old browser is greater than the benefit of removing this trick. I wonder if they would ever deem it safe to remove.
So the protection was trapping the sinister script context running in my browser in an infinite loop. Clever!<p>…Does that grind my browser to a halt?<p>Why not just throw an error or something?