Hacker News new | ask | show | jobs
by _-___________-_ 2662 days ago
But why can't a malicious server also serve up some JS that modifies the behaviour of the JS served by the ad network?
2 comments
geocar 2662 days ago
You don't need a malicious server.

You can use Google to do this and you'll get a google/branded domain name for your object-hijacking javascript. The number of times I've seen something like document.visibilityState='visible' in peoples ads (or ad wrappers) is astounding.

link
Freak_NL 2662 days ago
Isn't document.visibilityState a read-only property?

https://developer.mozilla.org/en-US/docs/Web/API/Document/vi...

link
geocar 2662 days ago
No.

It is not.

    Object.defineProperty(document, 'visibilityState', { value: "visible", writable: false })
demonstrates trivially that the documentation is clearly wrong.

Maybe it says it's "read-only" because Google wants bad guys to do this sort of thing, since it makes advertisers buy more ads from them.

Or maybe it's an honest mistake that neither Mozilla, nor Google (nor Microsoft or anyone else it seems) has any idea what "read-only" means.

link
ryan-c 2659 days ago
they try to do that sometimes, but it's rather harder to claim innocence for that than other methods
link