Hacker News new | comments | show | ask | jobs | submit login

What sort of security is in place - e.g. what's stopping a pop-up ad from logging keystrokes and sending them to a remote endpoint?

This is possible with current technology: $(document).keypress(sendKeypressInfo)

$(document).keypress won't pick up keystrokes from across tabs or windows. So unless the popup is the active window, you should be safe from something like this.

Hmm, we are not talking about web page js here, we are talking about Chrome API js here. It's far more powerful.

Won't the Same Origin Policy limit the exposure via ajax?

They don't have to use ajax. They can load an image with an arbitrary url and pass the keypress data in the url parameters, or dynamically create a script tag, or create an iframe and submit a form in it, etc. The script tag method also lets them get data back from the remote endpoint, if the remote endpoint is kind enough to encode it as JSONP.

I think he's referring to a hostile script trying to bind to keydown -- usually you shove the banners in iframes to limit this possibility when you include external untrusted content. I assume the same holds true here, though.

The Same Origin Policy can be overridden by the site accepting the connection (http://www.w3.org/TR/cors/), so assuming that site is hosted by the attacker it wouldn't be helpful. If the site used (and the browser supported) a Content Security Policy (http://www.w3.org/TR/CSP/) you could restrict such outgoing connections.

I don't think this is an issue. The popup would only capture whatever keystrokes are typed into the popup (as dbaupp illustrated). DataChannels doesn't change the boundaries within which a webpage/Javascript runs

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact