Overempowering Javascript

Every now and then, I find out Javascript has been granted some privilege by the browser that just astonishes me. Most recently was the history API:


That's right, the browser lets Javascript manipulate your history.

Who in the hell decided Javascript should be able to do this?

Another is the the `rel="noopener"` affair: astonishingly, links with `target="_blank"` without `rel="noopener"` give the opened page *access to the opening page's window object*. And this can be used to reload, redirect, or otherwise screw up the opening page.

The one I found out before that was that Javascript can send arbitrary POST requests to other domains, just not include SameSite cookies or read the response.

SameSite cookies

And sure, some of these powers can be used for good. But one has to wonder, if browsers just didn't grant Javascript these powers, how many fewer headaches and exploits we would have. Especially since SameSite cookies are a relatively recent addition to mitigate these very attacks. (It's a fucking travesty that cookies were ever made non-SameSite by default.)

Next I'm going to find out there's a JS API for editing the user's bookmarks, or deleting files on their local drive. You don't do security by giving strangers every power you can think of over your user's device, and building an enigmatic web of restrictions on top of that.


subscribe via RSS

Proxied content from gemini://yujiri.xyz/software/overempowering-js.gmi

Gemini request details:

Original URL
Status code
text/gemini; lang=en
Proxied by

Be advised that no attempt was made to verify the remote SSL certificate.

What is Gemini?