An entertaining article about the dangers of untrusted JS dependencies. But it gets one crucial thing wrong: CSP is absolutely not capable of preventing data exfiltration once the attacker's script runs in the context of your app https://lists.w3.org/Archives/Public/public-webappsec/2016Sep/0012.html … http://www.cse.chalmers.se/~andrei/asiaccs16.pdf …https://twitter.com/D__Gilbertson/status/949563399272361984 …
-
-
It's just a matter of undoing mistakes & stopping adding new ones. They're not just console state leaks but tracking vectors (big privacy issue).
-
Removing all of them for devtools might be infeasible. Here's another one: with devtools opened, by default, JS pauses on errors. Check if that happens in an iframe. There's probably 100s of ways like that.
-
I once made a PoC of checking whether devtools are open by measuring the time of console.log (obviously takes longer with devtools opened). https://jsbin.com/tutotepovu/edit?html,output …
-
There are lots of ways to abuse console.log that should be plugged. Like execution of tostring should happen in sandbox with no visible side effects.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.