An entertaining article about the dangers of untrusted JS dependencies. But it gets one crucial thing wrong: CSP is absolutely not capable of preventing data exfiltration once the attacker's script runs in the context of your app https://lists.w3.org/Archives/Public/public-webappsec/2016Sep/0012.html … http://www.cse.chalmers.se/~andrei/asiaccs16.pdf …https://twitter.com/D__Gilbertson/status/949563399272361984 …
-
Show this thread
-
Replying to @arturjanc
> My code won’t send anything when the DevTools are open ffffffff
1 reply 0 retweets 1 like -
Replying to @durumcrustulum @arturjanc
Who came up with the (awful) idea of exposing to js the state of dev tools?!?
2 replies 0 retweets 1 like -
Replying to @RichFelker @durumcrustulum
You don't need an explicit API for this; there are a bunch of clever browser-specific hacks (https://stackoverflow.com/questions/7798748/find-out-whether-chrome-console-is-open …) or you can infer it from window.outer{Height,Width} - window.inner{Height,Width}.
1 reply 0 retweets 3 likes -
Replying to @arturjanc @durumcrustulum
window.outer should always just be window.inner plus some constant matching a common historic window decoration style. Actually giving the real value is a fingerprinting leak bug.
1 reply 0 retweets 0 likes -
The other things in the SO answer are also bugs/leaks that should be fixed/plugged.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @durumcrustulum
Sounds reasonable in principle, but in practice removing all the side channels is a huge amount of work for a browser vendor for a fairly unclear benefit (hiding the "is console open" bit for a tiny fraction of users). Not a hill I'd want to die on ;-)
1 reply 0 retweets 2 likes -
Replying to @arturjanc @durumcrustulum
It's just a matter of undoing mistakes & stopping adding new ones. They're not just console state leaks but tracking vectors (big privacy issue).
1 reply 0 retweets 0 likes -
Removing all of them for devtools might be infeasible. Here's another one: with devtools opened, by default, JS pauses on errors. Check if that happens in an iframe. There's probably 100s of ways like that.
1 reply 0 retweets 2 likes -
Replying to @kkotowicz @RichFelker and
I once made a PoC of checking whether devtools are open by measuring the time of console.log (obviously takes longer with devtools opened). https://jsbin.com/tutotepovu/edit?html,output …
1 reply 0 retweets 2 likes
There are lots of ways to abuse console.log that should be plugged. Like execution of tostring should happen in sandbox with no visible side effects.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.