undefined | Better HN

Skip to content

Top Best Ask Show New Jobs

0 pointsdTal7y ago0 comments

>It's amazing to me that an advert can run arbitrary javascript at all.

I'm not fully up to date with how these things are usually set up - is there anything in the web security model that prevents "ads" from exfiltrating arbitrary information from any page that they're on? Could an ad read my keystrokes, or scrape private messages?

0 comments

7 comments · 3 top-level

londons_explore7y ago· 2 in thread

Ads are iframed, and don't have permissions to do anything to the host page.

Doesn't stop them fingerprinting the browser though

Typically ads are not in iframes, they are loaded by Javascript from the ad network and can do whatever they want.

smilliken7y ago

There's multiple nested iframes and scripts loaded at every level. All variations are possible.

Aeolun7y ago· 2 in thread

Short answer is yes.

dTalOP7y ago

Yes, the security model stops them, or yes, they can do those things?

Yes, they can do those things.

It is possible to restrict ads using CORS headers, sandboxed iframes and cross origin restrictions. However this is rarely done effectively. Often the ads have a ridiculous level of access.

j / k navigate · click thread line to collapse