Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

3) Fingerprinting and tracking in general are heavily javascript-focused. Less common in practice (I assume), but still possible, are 4) Rowhammer or Spectre/Meltdown style attacks that break out of the permission system. Finally, there's general trickery, manipulation, and malware, like trying to embed a frame from Facebook and steal user credentials or so on (I'm fuzzy on these sorts of attacks, not an expert).


3) Right - and I guess "fingerprinting" goes slightly beyond cookies - but when people say "execute arbitrary code" they typically imply something has free-reign, which JavaScript generally doesn't.

4) True, although it's my understanding that the exploits are hard to implement, doubly-so from an abstracted layer like JavaScript.

> trickery, manipulation...like trying to embed a frame from Facebook and steal user credentials or so on

This falls under "cookies-based", and I'm pretty sure no JavaScript is necessary for these kinds of attacks.


Good point on 3. I guess the main point is browsers at least disallow reading and writing arbitrary files directly.


Before javascript took over tracking the 1x1 white pixel ruled the land. No javascript needed there.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: