Hacker News new | past | comments | ask | show | jobs | submit login

Pick a random webpage with ads, right click, and "inspect element".

You will see the ad is rendered in a sandboxed iframe.

It's true that the ad-network can usually run in the context of the main page, but the ad itself cannot.

The ad network is typically fairly trusted - they are profitable businesses with a lot to lose to lawsuits if they store or leak your password.

It's the ad itself that you shouldn't trust - anyone with $1 can submit an ad. And that's why it's sandboxed.

We all know this is not generally true. Ad networks will even explicitly allow advertisers to inject their own unsandboxed js. And so will publishers. But hypothetically if this was true still doesn't make a difference, adtech is pretty negligent of security.

> a lot to lose to lawsuits if they store or leak your password.

This has been demonstrated to be wrong (see: every time there's malware on an ad network).

There has been no instance of malware on an ad network (that I know of).

The malware has been in an ad creative, and those are sandboxed. The malware has usually exploited weaknesses in the browser, but if there weren't browser exploits, it still wouldn't get access to the host page.

Such browser exploits are getting harder to find with things like per-domain processes isolation in Chromium based browsers.

The only thing creative here is the imagination that the ad network is not responsible for the content it serves, though I recognise we may just have fundamentally different outlooks on responsibility. If that is the case, I feel like discussing it further is not going to help either one of us.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact