|
|
|
|
|
|
by l72
1550 days ago
|
|
|
> There are safe ways to have a token in a browser (as a secure, HTTPonly cookie, for example) but delivering the token in such a way as to allow any JS running on the page to have access to it is not one of them. This always bugs me. Why is anyone creating an SPA (or any client mobile/desktop application) where they don't trust the code running in their own application? It just seems crazy to me to include dependencies/libraries that you can't trust. |
|
|
* https://www.whitesourcesoftware.com/resources/blog/npm-packa...
* https://medium.com/@alex.birsan/dependency-confusion-4a5d60f...
* https://blog.sonatype.com/npm-project-used-by-millions-hijac...
* https://checkmarx.com/blog/attackers-write-bugs-as-well/
When was the last time you audited all of the libraries a SPA depended on? If it was during the last build, congrats, you're doing great.
Lots of times it isn't automated and can be neglected, though.