yujiri.xyz

Software

Overempowering Javascript

Every now and then, I find out Javascript has been granted some privilege by the browser that just astonishes me. Most recently was the history API:

https://developer.mozilla.org/en-US/docs/Web/API/History

That's right, the browser lets Javascript manipulate your history.

Who in the hell decided Javascript should be able to do this?

Another is the the `rel="noopener"` affair: astonishingly, links with `target="_blank"` without `rel="noopener"` give the opened page *access to the opening page's window object*. And this can be used to reload, redirect, or otherwise screw up the opening page.

The one I found out before that was that Javascript can send arbitrary POST requests to other domains, just not include SameSite cookies or read the response.

SameSite cookies

And sure, some of these powers can be used for good. But one has to wonder, if browsers just didn't grant Javascript these powers, how many fewer headaches and exploits we would have. Especially since SameSite cookies are a relatively recent addition to mitigate these very attacks. (It's a fucking travesty that cookies were ever made non-SameSite by default.)

Next I'm going to find out there's a JS API for editing the user's bookmarks, or deleting files on their local drive. You don't do security by giving strangers every power you can think of over your user's device, and building an enigmatic web of restrictions on top of that.

contact

subscribe via RSS

Proxied content from gemini://yujiri.xyz/software/overempowering-js.gmi

Gemini request details:

Original URL
gemini://yujiri.xyz/software/overempowering-js.gmi
Status code
Success
Meta
text/gemini; lang=en
Proxied by
kineto

Be advised that no attempt was made to verify the remote SSL certificate.

What is Gemini?