undefined | Better HN

0 pointsPxtl8y ago0 comments

Yes, but then the malware can also compromise the server, since it now has js access to all the users and can Masquerade as them when they see the ad - even as admins. Keys to the kingdom. This is a feature, not a bug - it means the user and the server are now in the same boat, and the server will have some friggin diligence about whose code they run.

Also, means the server has to pay for the damned bandwidth.

0 comments

NMDaniel8y ago

That's not how it works, the server wouldn't execute JS that is meant for a browser client, it would just serve it like any other static file.

What you're suggesting will actually hamper security, because scripts served from your domain have less limitations(see https://en.wikipedia.org/wiki/Same-origin_policy , https://en.wikipedia.org/wiki/Content_Security_Policy and other mechanisms)

leeoniya8y ago

the implication of same-origin would affect all requests made from the client. you can serve malicious js from the server all day long but it would be restricted to only talking back to that same server.

j / k navigate · click thread line to collapse

0 pointsPxtl8y ago0 comments

Also, means the server has to pay for the damned bandwidth.

0 comments

NMDaniel8y ago

That's not how it works, the server wouldn't execute JS that is meant for a browser client, it would just serve it like any other static file.

leeoniya8y ago

j / k navigate · click thread line to collapse