Hacker News new | past | comments | ask | show | jobs | submit login

I hope webrtc isn't authorized by default by browsers.I want to give explicit consent.It should even have been that way for ajax requests.



You might be interested in NoScript. With this addon, JavaScript can be blocked by default, and allowed on pages of your choosing.


What makes AJAX requests dangerous?


Some people just want to know about any data their browser is sending server side. In the old days, your browser would not do anything without you making a conscious action. Widespread AJAX use changed that so your browser could be sending information to a server without any oversight. That lack of oversight isn't inherently dangerous, but certainly has potential for exploitation.


You could always send information using javascript by loading images, hidden iframes etc. (You would not get a meaningful response though). This applies to dark old days even before JS..


Great point. Lately we have been reconsidering the request manager matrix shown in gngr. It was inspired by HTTPSwitchBoard's matrix, that has a separate column for XHR.

However, like you pointed out, there are other ways than XHR to leak data if JS is enabled.

If JS is not enabled, the kinds of data that can be leaked is fewer (perhaps screen resolution and size).

Would welcome expert comments on our issue tracker: https://github.com/UprootLabs/gngr/issues/90




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: