JS Injection Security Risks
The cluster focuses on security concerns over techniques that inject JavaScript into websites or other tabs without consent, likened to shady ISP behavior, and discussions of mitigations including NoScript, CSP, ad blockers, and blocking scripts from sites like Google.
Activity Over Time
Top Contributors
Keywords
Sample Comments
This is nuts, injecting code without website consent, pretty much like shady-ISP behaviour!
Don't X-Frame-Options and frame-busting Javascript break this idea?
NoScript usually bypasses this behavior. Especially when the content is delivered but hidden with JS DOM manipulation.
those kind of tricks are already blocked by browsers, as the article explains
couldn't this be a major security issue since you could integrate your own js to any url on the domain?
yeah sadly that seems to be the case. they are using 1st party inline scripts, so even blockers with dynamic filtering rules are unlikely to catch this.
Security implications? Now your browser will execute JavaScript from sites you didn't even visit. Awesome.
How useful is blocking third party scripts and frames against this?
Haven't browsers already done changes to combat that?
Can't you just prevent most scripts on google.com from running, for this mangling not to happen?