The Security of Ephemeral Pages
Summary
The Security of Ephemeral Pages walks through security vulnerabilities found in a micro-service that serves arbitrary HTML and the mitigations implemented. It identifies a critical same-origin XSS risk from uploaded HTML delivered from the API, and details HTTP header and sandboxing changes, along with medium-risk issues like upload abuse, admin token protection, and cross-origin checks, plus broader hardening steps and validation improvements. The piece emphasizes practical, code-level mitigations (CSP, sandboxed iframes, nosniff, referrer policies) and operational safeguards (rate limiting, logging, and secure secret handling).