I don't mean what they can do, I mean what they do do. The aggregate risk out there.
Conversely, I haven't seen any due to GA or Like button JS being subverted just yet.
-
-
You would have to have a global whitelist of 3rd parties you can trust. Malvertising happens.
-
I buy HW from Apple instead of [random vendor] because I trust it. Same with JS APIs ;-)
-
To some extent, yes. But it's also about limiting oneself. Drop privileges if you will.
End of conversation
New conversation -
-
-
But that's exactly why we have SRI and apps that worry about this should definitely use it.
-
We need SRI + no dynamic loading.
-
SRI is enough if you trust the place you're loading JS from. Otherwise, don't load the JS.
-
How about GA demanding SRI?
-
Or maybe scripts can't inject script tags with hash attributes?
-
If so we should come up with a way for script sources to request then demand SRI in two steps.
-
What would this protect against? An evil JS provider could just not opt into any checks.
-
But providers with great power could lower the aggregate risk on the web.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.