15 votes

Troy Hunt: I now own the Coinhive domain. Here's how I'm fighting cryptojacking and doing good things with content security policies.

1 comment

  1. joplin
    Link
    This is brilliant! It also points out the huge problem that exists with the way most web sites use JavaScript (and I'm assuming WebAssembly): It's always surprising to me how many large,...

    This is brilliant! It also points out the huge problem that exists with the way most web sites use JavaScript (and I'm assuming WebAssembly):

    Oh - and while we're here let's just let that sink in for a moment: I can now run whatever JavaScript I want on a huge number of websites. So, what could I do with JavaScript? I could change where forms post to, add a key logger, modify the DOM, make external requests, redirect to a malicious file and all sorts of other very nasty things. That's the power you hand over when you embed someone else's JS in your own site and that's precisely why we have subresource integrity.

    It's always surprising to me how many large, well-funded websites don't get this or get it and just don't care.

    4 votes