Alert 1 to win A series of XSS challenges: here's some unsafe code; exploit it! Shortest code wins.
Shelfbrain Holy Trinity of Human Spelling A dictionary generated by GPT-2. On paper.
Zip Quine A ZIP file that contains itself. Best paid code I ever wrote.
Chargen Generate test pages from the URL.
Send File to get files from something with a browser to a real machine (and also hints for the other direction)
SHA1 collision maker
DNS On-the-fly DNS
Screen Test to quickly check if the resolution is 1:1
Old Security Stuff
Stealing Tokens With Harmony The
ServiceWorker is a problem if you have a 'user content' domain (like Dropbox)
Webkit URLs A tragedy in seven parts (so far)
Safari Reader UXSS A non-hostname-based Safari bug
2017-07-30: alert(1) was broken in Firefox (thanks Patrick G)
Complaints to @steike.