search

senthilp / spofcheck

A CLI tool for detecting frontend SPOF
Other
33 stars 2 forks source link

document.write spof #1

Closed ddunlop closed 7 years ago

ddunlop commented 11 years ago

The rules don't catch single points of failure that make use document.write, such as the old google analytics tags.

<script type="text/javascript">
  var gaJsHost = (("https:" == document.location.protocol) ?
  "https://ssl." : "http://www.");
   document.write(unescape("%3Cscript src='" + gaJsHost +
  "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
senthilp commented 11 years ago

@ddunlop Good point. WIll try to add that rule in the next iteration.

senthilp commented 7 years ago

This may not be a problem anymore with browsers coming up with Interventions - Intervening against document.write().