This android wallet has an internal browser and it incorrectly strips www. from hosts. This also affects their permission system, meaning this is the perfect bug to phish users.
They didn't answer multiple mails in 30 days, so it's being disclosed.
Oh yes because of the CSP. The CSP that allows forms that can change your settings... you could easily use the above bug to get some impact with an additional click on a form's submit button.
Admittedly, no full XSS anymore, but still dangerous and shows their lack of understanding and caring about security.
It's not the only place you can inject HTML and not every page has a CSP...
I don't get why they allow injection of irrelevant url parameters in the first place, it's the first rule of any input - remove what's not used and sanitize what is.
Regarding privacy: an obvious point is that you need to log in to use the search engine, so each search is tied to a unique user. Given that payment is involved, each user can be tied to a real-world identity.
So which search engine do you recommend that takes privacy seriously and that actually works (i.e. doesn't block me and return correct results) in Norway?
Marginalia Search's still a bit hit and miss. Haven't really actively been working on the search result quality lately, been too busy with various chores away from the actual search end of the search engine. It's gotten a bit better, but mostly by accident, through fixing bugs that had knock-on effects on quality.
A directed effort toward unfucking query understanding and index execution is up next on the list of tasks to tackle though. Hopefully it'll make a decent impact.
Like Google? Whose entire business model is pilfering that data without asking you? And who also asks you constantly to attach a phone number to your account, etc.?
In such case, my pants would be in laundry too, but I (perhaps mistakenly) assume writing angry comments about politicians - up to and including even worse kind of violent wishes - are kind of normal since forever, and nothing ever comes of it. Maybe I'm misjudging the power/prominence of Garry Tan (of whom I never heard of before today) relative to SV politicians?
They didn't answer multiple mails in 30 days, so it's being disclosed.