Proposal: JavaScript Reference Monitors

Hi subscribers to Public-WebAppSec,

I think browsers should explicitly support lettings websites set trusted
reference monitors in modern web applications.

So I made a proposal:
https://github.com/pickhardt/js_reference_monitors

Some potential use cases:

  - to monitor network requests to track, detect, and attempt to prevent
data exfiltration from supply chain attacks like Magecart.

  - to monitor network requests to prevent sensitive data from accidentally
being sent to analytics trackers, like accidentally sending social security
numbers or credit card numbers to Google Analytics.

  - to implement a policy restricting content loaded on the page similar to
a Content Security Policy header, but with code over configuration.

  - to prevent cookies from being set before the user has given consent
(GDPR).

  - to prevent or warn the user before navigating away to an untrusted
domain.

Let me know what you think!

Best,
Jeff


--
Jeff Pickhardt
pickhardt@gmail.com

Received on Monday, 2 March 2020 09:28:36 UTC