undefined | Better HN

0 pointsNMDaniel8y ago0 comments

That's not how it works, the server wouldn't execute JS that is meant for a browser client, it would just serve it like any other static file.

What you're suggesting will actually hamper security, because scripts served from your domain have less limitations(see https://en.wikipedia.org/wiki/Same-origin_policy , https://en.wikipedia.org/wiki/Content_Security_Policy and other mechanisms)

0 comments

leeoniya8y ago

the implication of same-origin would affect all requests made from the client. you can serve malicious js from the server all day long but it would be restricted to only talking back to that same server.

j / k navigate · click thread line to collapse

0 comments

leeoniya8y ago

j / k navigate · click thread line to collapse