JavaScript Reference Monitors from Jeff Pickhardt on 2020-02-28 (public-web-security@w3.org from March 2020)

From: Jeff Pickhardt <pickhardt@gmail.com>
Date: Fri, 28 Feb 2020 12:20:27 -0800
To: public-web-security@w3.org
Message-ID: <CA+RMjsVPxGa6_achvrUp7dsZqA-vRaTucavpq0SMER75aHZTCQ@mail.gmail.com>

Hi all,

I think browsers should explicitly support lettings websites set trusted
reference monitors in modern web applications.

So I made a proposal:
https://github.com/pickhardt/js_reference_monitors

Some potential use cases:

  - to monitor network requests to track, detect, and attempt to prevent
data exfiltration from supply chain attacks like Magecart.

  - to monitor network requests to prevent sensitive data from accidentally
being sent to analytics trackers, like accidentally sending social security
numbers or credit card numbers to Google Analytics.

  - to implement a policy restricting content loaded on the page similar to
a Content Security Policy header, but with code over configuration.

  - to prevent cookies from being set before the user has given consent
(GDPR).

  - to prevent or warn the user before navigating away to an untrusted
domain.

Let me know what you think!

Best,
Jeff

--
Jeff Pickhardt
pickhardt@gmail.com

Received on Monday, 2 March 2020 09:28:36 UTC