💾 Archived View for yujiri.xyz › software › overempowering-js.gmi captured on 2022-07-16 at 14:28:40. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2022-06-03)
-=-=-=-=-=-=-
Every now and then, I find out Javascript has been granted some privilege by the browser that just astonishes me. Most recently was the history API:
https://developer.mozilla.org/en-US/docs/Web/API/History
That's right, the browser lets Javascript manipulate your history.
Who in the hell decided Javascript should be able to do this?
Another is the the `rel="noopener"` affair: astonishingly, links with `target="_blank"` without `rel="noopener"` give the opened page *access to the opening page's window object*. And this can be used to reload, redirect, or otherwise screw up the opening page.
The one I found out before that was that Javascript can send arbitrary POST requests to other domains, just not include SameSite cookies or read the response.
And sure, some of these powers can be used for good. But one has to wonder, if browsers just didn't grant Javascript these powers, how many fewer headaches and exploits we would have. Especially since SameSite cookies are a relatively recent addition to mitigate these very attacks. (It's a fucking travesty that cookies were ever made non-SameSite by default.)
Next I'm going to find out there's a JS API for editing the user's bookmarks, or deleting files on their local drive. You don't do security by giving strangers every power you can think of over your user's device, and building an enigmatic web of restrictions on top of that.