AnalogMemory Steps to reproduce: Searched: https://kagi.com/search?q=window.location https://kagi.com/search?q=window.location.href Any other strings after location will also 403 Expected behavior: Return results for the JavaScript method of window Debug info: Happens in all browsers If i remove the last letter: https://kagi.com/search?q=window.locatio Kagi provides a link to the correctly spelled word. But this is also the same 403 😆
insomnia-creator Oh boy we need a dedicated post for this now. Time to try out every single Javascript object in Kagi 😆 EDIT: <script> and <style> and maybe more HTML tags don't work. EDIT 2: document.cookie doesn't work either.
AnalogMemory window[.]location was the only method on window that seemed to trigger it. Which after seeing the reasons it would be blocked makes sense. More likely to be used in a XSS attempt Better to find the security overreactions than a lacking 🙂✌🏽
MaxR I think I run into the same bug with node.parentNode The entire query I ran was: "svelte TypeError: can't access property "removeChild", node.parentNode is null"
Kai Would it be viable to exclude everything in the q parameter from the WAF? That would solve this and still provide the protection on the rest of the site.
insomnia-creator Quick question sir, have you made an exception for each of these search results or disabled the 'javascript object' filter completely? I could try and search for more.