Think of the username.micro.blog pages as your personal home page, like a Wordpress or Squarespace blog site. They're a hosting option for people who aren't tech-savvy enough to setup an RSS feed / 280-char micro-post RSS feed on their own site, or just don't want the hassle of maintaining that setup.
I believe others have tried posting similar XSS into a Micro.Blog post, and it gets filtered out in the timeline feed that followers read, whether on the site or via 3rd party clients. (Now if someone proves that wrong, that would be a big deal.)
I think it's only true as long as every *.micro.blog subdomain is properly isolated, and you can't access cookies/sessions from micro.blog (e.g post/comment as someone else, if there's no CSRF token). I haven't checked, but hopefully it's the case here. See:
https://security.stackexchange.com/questions/95369/persisten...
Think of the username.micro.blog pages as your personal home page, like a Wordpress or Squarespace blog site. They're a hosting option for people who aren't tech-savvy enough to setup an RSS feed / 280-char micro-post RSS feed on their own site, or just don't want the hassle of maintaining that setup.
I believe others have tried posting similar XSS into a Micro.Blog post, and it gets filtered out in the timeline feed that followers read, whether on the site or via 3rd party clients. (Now if someone proves that wrong, that would be a big deal.)