Indeed. Then the middleware could also inject exfiltration JavaScript in `text/h... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		tlrobinson on Jan 7, 2018 \| parent \| context \| favorite \| on: Harvesting credit card numbers and passwords from ... Indeed. Then the middleware could also inject exfiltration JavaScript in `text/html` or `application/javascript` responses, which would work even if the app doesn’t use npm modules on the frontend. This applies to almost any backend web framework and package manager, but the culture of micro packages in npm suits itself well to this attack.

tlrobinson on Jan 7, 2018 [–]

Clearly what we need is cryptographically-signed JavaScript and CSP pinning.

(I’m only half joking)

EDIT: oh, CSP pinning is actually a thing that’s been proposed https://www.w3.org/TR/csp-pinning/

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact