While a hacker gaining access to the developers' GitHub account would be bad, they would still have to actually push the malicious code to GitHub before they can serve it from airborn.io. So, if people pay attention to pushes to GitHub, this attack could still be detected (but not prevented). For prevention, one possibility would be to require all commits to have been on GitHub for at least 24h or so. Then, the devs would have some time to try and get their accounts back. We don't implement that today, though.
That section attempts to explain how web apps work today, if you don't use that library. Reading the entire thing back, I agree that the how is never explained very well, although https://www.airborn.io/docs/security does explain it.
That section attempts to explain how web apps work today, if you don't use that library. Reading the entire thing back, I agree that the how is never explained very well, although https://www.airborn.io/docs/security does explain it.