P.S. We (GitHub) have engaged Cure53 several times, including an assessment dedicated to Content Security Policy bypasses across various browser implementations. Mario (and team) are incredible to collaborate with.
> The original intention expressed by the authors was to move past the browsers as such,
instead splitting the field by engine. In that sense, we sought to shed light on the security
properties of Trident represented by MSIE, Edge represented by the corresponding
browser with the same name, Gecko represented by Firefox or Firefox ESR13, Blink
represented by Chrome, and Webkit represented by Safari. After a series of meetings with
the sponsors, the expected scope was clearly delineated to entail research on MSIE, Edge, and Chrome only.