Hacker News new | ask | show | jobs
by geocar 2669 days ago
You don't need a malicious server.

You can use Google to do this and you'll get a google/branded domain name for your object-hijacking javascript. The number of times I've seen something like document.visibilityState='visible' in peoples ads (or ad wrappers) is astounding.
1 comments
Freak_NL 2669 days ago
Isn't document.visibilityState a read-only property?

https://developer.mozilla.org/en-US/docs/Web/API/Document/vi...

link
geocar 2668 days ago
No.

It is not.

    Object.defineProperty(document, 'visibilityState', { value: "visible", writable: false })
demonstrates trivially that the documentation is clearly wrong.

Maybe it says it's "read-only" because Google wants bad guys to do this sort of thing, since it makes advertisers buy more ads from them.

Or maybe it's an honest mistake that neither Mozilla, nor Google (nor Microsoft or anyone else it seems) has any idea what "read-only" means.

link