W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2020

Proposal: JavaScript Reference Monitors

From: Jeff Pickhardt <pickhardt@gmail.com>
Date: Fri, 28 Feb 2020 12:22:03 -0800
Message-ID: <CA+RMjsU15DKK_xX8Zh3fZD4mM_SPDobAYBjFd7E=DQ+RkbPLnw@mail.gmail.com>
To: public-webappsec@w3.org
Hi subscribers to Public-WebAppSec,

I think browsers should explicitly support lettings websites set trusted
reference monitors in modern web applications.

So I made a proposal:
https://github.com/pickhardt/js_reference_monitors

Some potential use cases:

  - to monitor network requests to track, detect, and attempt to prevent
data exfiltration from supply chain attacks like Magecart.

  - to monitor network requests to prevent sensitive data from accidentally
being sent to analytics trackers, like accidentally sending social security
numbers or credit card numbers to Google Analytics.

  - to implement a policy restricting content loaded on the page similar to
a Content Security Policy header, but with code over configuration.

  - to prevent cookies from being set before the user has given consent
(GDPR).

  - to prevent or warn the user before navigating away to an untrusted
domain.

Let me know what you think!

Best,
Jeff


--
Jeff Pickhardt
pickhardt@gmail.com
Received on Monday, 2 March 2020 09:28:36 UTC

This archive was generated by hypermail 2.4.0 : Monday, 2 March 2020 09:28:36 UTC