A read-only CryptPad spreadsheet with a list of known apps being used by #Pegasus as infection vectors, along with sources:
https://cryptpad.fr/sheet/#/2/sheet/view/rXFBpy4ztOsdWxO7ESgs52PsCev6wdRyRh9KhATiFNA/
DM me if you'd like write access to add things.
@Br0m3x interesting, it works fine here, just tested in Tor Browser myself.
@rysiek @Br0m3x There are 3 layers of nested #JavaScript. I enabled them in Ungoogled Chromium, at which point the blankness was replaced with a spreadsheet. But the spreadsheet cells are empty for me.
@Br0m3x @rysiek Ah, nevermind it works. The problem was that each time I enabled more js in uMatrix, the page was reloaded which somehow caused the unique page identifier in the URL to change. So after enough js was enabled to present the spreadsheet UI, I had to reload the original URL and it worked.
@resist1984 @Br0m3x still better than Google Docs though
That's correct! CryptPad.fr handles cryptographic content (like keys), while sandbox.cryptpad.info is used for the platform's UI. The sandbox doesn't have access to that the main domain's content and has a stricter content security policy which blocks nasty things like inline scripts.
Unfortunately, some adblockers use heuristics which can't distinguish between our sandbox iframe and an ad.
We actively test with uBlock Origin (which is used much more widely according to the Firefox add-on directory) and we've been compiling a list of known issues with other plugins which we hope to add to our documentation soon.
@cryptpad @resist1984 @Br0m3x thank you for responding!
@resist1984 @Br0m3x it can't come from the same domain for security reasons. The only way to properly sandbox user-controlled content is by using a separate domain for it:
https://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/
I'm sure @cryptpad will have more to say here if you want. I am not in any way providing technical support for CryptPad.