Reply to post:

UK ICO, Thousands of websites hijacked by hidden crypto-mining code after popular plugin pwned

JLV Silver badge

Yes, but if you take the very useful NoScript, a typical website calls on 8-10 js domains.

It's not always clear what scripts are need-to-have vs eye candy/ad serving. Then, as you enable some, they in turn want to load more.

Obfuscated urls may look malicious but often are just how CDNs work.

(not to mention js-only sites that render nothing until enabled)

It's a massive obnoxious mess and often results in me leaving a site on arrival.

In addition to checking vs last-seen versions, as suggested here, maybe it's time browsers/plugins look at behavior and profile of scripts, including stuff like api calls being made, cpu use and clipboard access. Known-good script hash checks vs a central registry. Possibly uploading never seen code up for analysis.

No need for the equivalent of flashlight apps accessing contacts, for example.

I don't see this as a JS fail per se - any language holding its role in our current web architecture would cause this. But our trust model feels a lot like when we were sending each other EXEs with funny contents in the mid 90s. I don't see it lasting another 20 years.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019