Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Scopes: When writing the spec text, add a section that we thought about security #121

Open
szuend opened this issue Aug 22, 2024 · 0 comments

Comments

@szuend
Copy link
Collaborator

szuend commented Aug 22, 2024

I had a chat with Chrome security folks about the binding expressions in source maps. My initial worry was that we are now executing JS snippets that are provided by the source map in an inspected page. E.g. if an attacker can trick a user into opening a page with a malicious source map or load a malicious source map into a targeted page, and they could trigger a pause in the page, then malicious binding expressions would run inside the inspected/targeted page.

Attackers have to target users/developers as it's non-trivial to make a targeted page that an attacker does not control to load a malicious source map without additional user action on top of opening DevTools.

It's simply easier to trick users into opening DevTools and paste something into the console.

As such we are good on shipping binding expressions in source maps that can be arbitrary JavaScript expressions. Nonetheless we should add a sentence or two once we write the spec text that we gave it some thought.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants