Same thoughts here, I wouldn't want to expose all the actions of my page to a future attacker.
-
-
(Totally read that as back the f*** up)
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
However, today, this is an extremely dubious practice, because of how easy it is for a third party origin to use a <script> to execute 2/
-
the code on *their* domain (http://evil.com ) with the user's credentials (say, for http://bank.com ). The most obvious 3/
-
issue is Function.prototype.toString, which allows you to see the contents of any function. So the exploit is: be aware that 4/
-
http://bank.com/account.js contains authenticated, secret account data, <script src="http://bank.com/account.js "> on http://evil.com 5/
-
Now you might be thinking, this seems like an awfully obscure exploit. But if http://bank.com uses a module registry, that 6/
-
<script> will populate a global `__registry__` (or something like it) on *http://evil.com * but with the user's 7/
-
*http://bank.com * cookies. So basically, it's a bad idea to use cookies as auth to put secret content in a JS file. 8/
-
Even if you think you're safe, someone else can decide to switch to webpack and pwn you. So don't do it (put the secret in HTML instead) 9/
- 4 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
