Somehow this knowledge has not spread widely in the mainstream - I myself didn't quite realise how easy it was to do just this until about a year ago,
visible to those looking for it. There is little use for these methods apart from snatching another person's history. Perhaps though, there are a lot
of motives to do so.
it's impossible to retain functionality when improving security. Many vulnerabilities have been fixed in the past, but browser development remains a
work in progress.
One problem that probably cannot be solved is that injected malicious code could read whatever is in your cookie of the trusted site/domain running
store account information such as username and a hashed password in their cookies; though it depends on the hashing algorithm and the password itself,
the attacker could have your plain-text password in mere seconds.
effect, the probability of someone executing code you don't need nor want in your own browser is reasonably high. They may not be sniffing your
history, but how do you feel about "event tracking": code tracking every single mouse movement - every click or scroll - and sending the relevant data
immediately to a traffic analyser? Often such code is meant to help the site owners developer the site through proper analysis, but it's simply too
invasive when it starts affecting browser performance noticeably. Apart from good intentions, third parties sometimes get hacked to inject malicious
code on all the sites that were using it - and some third parties never had good intentions to begin with.
third parties never get compromised - then
your system, for example - but the "little things" like browser performance, safety of accounts and privacy of browser history should be enough to be
more cautious than browsers tend to be by default.
functional. A more popular approach is to use Firefox in combination with the NoScript extension.
want to allow. By default, it allows only the top-level site - the domain you're visiting - to run it's code; all code gets separated by domain, and
you can choose which to allow by clicking the NoScript icon. Once you allow a domain, it's code is allowed to run on all the sites using it - for
example, if you allow all of facebook's domains, facebook should just work from then on.
The drawback of this approach is that 'mash-up' sites using code from 'smaller' domains will break pretty much completely. You can temporarily allow
all domains for that page, but that defeats the whole purpose of using NoScript; manually allowing the right hosts would be better, but is
time-consuming. Overall however, you'll notice a boost in performance when the browser doesn't have to run all the extra code anymore - and, you'll be
a lot safer.
If you intend to roam the 'darker corners' of the interwebs as well, or if you just want to be really secure, you may want to disable the default
NoScript setting to allow top-level domains. This will require you to manually allow the top-level domain every time you visit a new site, but
therefore restricts all code unless you specifically tell it to trust it.
Whoops, didn't mean to turn this into a rant (even though I should've expected it to happen, I always rant :p) .. but I hope it's of use to
edit on 7-12-2010 by scraze because: (no reason given)