Security Stuff Flash XSS Traps Adobe forgot to escape backslashes, so every Flash file that passes strings to JavaScript had XSS. Stealing Tokens With Harmony The Proxy feature in ES6 opened a new XSSI vector. ServiceWorker is a problem if you have a 'user content' domain (like Dropbox) Webkit URLs A tragedy in seven parts (so far) Safari Reader UXSS A non-hostname-based Safari bug Recent changes 2017-07-30: alert(1) was broken in Firefox (thanks Patrick G)