If a website loads third party JavaScript into a page using a <script> tag then by default it loads with a security context of same-origin – this means that it often it can do whatever JavaScript hosted from the websites’ server can do, so likely:
Read any content on the page it is loaded
Read your user details and often session cookies
Modify (add/change/remove) any content on the page
Add a username and password field, capture the values
I always* wondered why there isn't more data breaches out there. Most websites have trackers and shady scripts that can do a lot of harm... Even on banks websites or payment pages !
Thing is, I don't see why technically it's the company providing the website 's fault. They are sending a webpage, and it's the user's browser who is sending it's own data to facebook.com / google / twitter / metrics scripts / shady stuff... What would be illegal would be for company to make direct connection from their servers with your data.
>I always wondered why there isn't more data breaches out there. Most websites have trackers and shady scripts that can do a lot of harm... Even on banks websites or payment pages !
They do, constantly. You just only hear about the massive ones at public companies. That's why we have GDPR now. The web has become a complete utter nightmare in terms of security. Users have absolutely no idea how critically dangerous it is to plop a third party CDN script into their pages.
You mean web developers not users ? I think dev and users don't feel concerned enough and that's a shame. I am not for GDPR though, I think users should educate themselves and try to get to know which browser + extensions fits their privacy / security needs. We also need more benchmarking / consumer information so that we can select website best, competition will do the rest. It seems it's a niche market as of now
I say “users” because most actual developers know better at this point. The real problem has come from the innumerate people using CMS systems that think nothing of dumping a script tag on the page they copied/pasted from some random plugin provider.
I always educate myself on any technical subject instead of relying on democratically enacted laws. I educate myself on biochemistry instead of relying on The State to keep my food safe. If I have offspring I will educate myself on teaching techniques so I can choose the right private school instead of relying on publicly funded ones. This is all highly efficient.
While I think that there are fair critiques of this post[1], I can definitely empathize with the overwhelming sense of drowning in ignorance and the limited energy I have to defend against goods and services that entail hidden compromises I would not consent to were I properly informed.
[1] My most available example stemming from:
> ... relying on democratically enacted laws.
I find these often lack the required subtlety at best, or are precipitated by general ignorance at worst, and while are much better than anarchy, can cause significant harm in their own right.
I don't deny there are hidden compromises all over (I think that is a good way to put it) and we need to educate ourselves all the time. I can't imagine a more efficient way to handle all of it than fostering a political tradition that is inherently critical of concentrated and unchecked power, whether private or governmental, and having individuals of the tradition succeed in democratic government and adversarial journalism.
The idea is meant to imply a fractal society of checks: the minimum amount of radically skeptical and power-focused individuals and campaigns per issue and scope would be needed to keep powerful people and groups from being able to get away with abuse. We have some pieces of this in place today, more in the U.S. than many other countries.
Most laws supposed to protect you actually give you a false sense of security, they create business entry barriers, deform market incentives and increase legal risks / burden. Costs very well known but doubtful benefits. Governments profits of your fears
There are ways to make this efficient but 1) people need to be concerned about the issues at stake 2) a lot of online business model also needs to be refreshed (-> chicken and egg issue). The best thing about privacy / security scandals and laws like GDPR is that it brings theses issues in broad light and they become a topic of discussion.
Side note : state backed safety laws and inspection may bring more harm than good, and I will never send my children to schools it would be the best way to make them stupid
> Thing is, I don't see why technically it's the company providing the website 's fault.
If a bank wrote code on their website button that told your browser to send your account username and password to an evil person, technically the bank is at fault.
Thing is, I don't see why technically it's the company providing the website 's fault. They are sending a webpage, and it's the user's browser who is sending it's own data to facebook.com / google / twitter / metrics scripts / shady stuff... What would be illegal would be for company to make direct connection from their servers with your data.
* i.e. since I learned web development