I had a chat with Chrome security folks about the binding expressions in source maps. My initial worry was that we are now executing JS snippets that are provided by the source map in an inspected page. E.g. if an attacker can trick a user into opening a page with a malicious source map or load a malicious source map into a targeted page, and they could trigger a pause in the page, then malicious binding expressions would run inside the inspected/targeted page.
Attackers have to target users/developers as it's non-trivial to make a targeted page that an attacker does not control to load a malicious source map without additional user action on top of opening DevTools.
It's simply easier to trick users into opening DevTools and paste something into the console.
As such we are good on shipping binding expressions in source maps that can be arbitrary JavaScript expressions. Nonetheless we should add a sentence or two once we write the spec text that we gave it some thought.
I had a chat with Chrome security folks about the binding expressions in source maps. My initial worry was that we are now executing JS snippets that are provided by the source map in an inspected page. E.g. if an attacker can trick a user into opening a page with a malicious source map or load a malicious source map into a targeted page, and they could trigger a pause in the page, then malicious binding expressions would run inside the inspected/targeted page.
Attackers have to target users/developers as it's non-trivial to make a targeted page that an attacker does not control to load a malicious source map without additional user action on top of opening DevTools.
It's simply easier to trick users into opening DevTools and paste something into the console.
As such we are good on shipping binding expressions in source maps that can be arbitrary JavaScript expressions. Nonetheless we should add a sentence or two once we write the spec text that we gave it some thought.