Discovered an app was using redux, need to debug it, so I injected a console.log to log all actions :Dpic.twitter.com/SO7LSk5EhF
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
does that mean that JS code served to a page came from a secure place, or the contents that JS has in memory is secure?
It means content that contains secret data based on cookies or http auth headers.
Again I *think* we're on the same page, but... isn't that every website? You login and it sets a cookie, and you're authenticated
HTML content might contain secret data and is reasonably protected by SOP. JS content is poorly protected and shouldn't contain secrets.
If your web app has require.registry or something like that and has authed secret content, any third party can get the AUTHED content.
The only reasonable way to program in JS on the web is to keep secret content OUT of JS.
Secret meaning something like a cookie, where a 3rd party could steal & do own requests... or just priv info, like twitter DMs?
I think we're on the same page: basically the server needs to validate things 1000%. It's stupid to assume otherwise
I don't think there's any way we can obscure things enough for any run-time inspection to be lessened. JS is too easy to monkey-patch
And F.p.toString. Once you have a module registry it's game over.
Are you saying some people argue that their JS code is safe, even if a 3rd party can run JS on the same origin?
I'm saying some people believe that it's important to make "authenticated modules" a thing. Which is crazy.
Never heard that term before :) I feel like there's some context I'm missing! But I agree with you.
Let me back the truck up. Today, for web-compat, <script> by default sends cookies, allowing websites to include secret, authed data 1/
(Totally read that as back the f*** up)
...as long as the API it talks to is secured I don't see the issue here?
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.