|
|
|
|
|
|
by jotaen
881 days ago
|
|
|
To be fair, except for vue.global.min.js, all the JS files which OP pulls from third-party hosts are integrity-checked. So unless clients use very outdated browsers that don’t support the `integrity` attribute, the respective third parties wouldn’t be able to start inserting malicious code in the future. That being said, I agree it’s still a cheap security improvement for OP to control the hosting themselves. (Plus to integrity-check the Vue dependency.) |
|
|
If we pretend that there are no vulnerabilities today, then the mind turns to what will change in the future.
I tolerate js in the Bitwarden extension because it's necessary, funded, supported and necessary. But Retriever sounds to me like a project that would do better to minimise surface area.