(no title)
roneil | 6 years ago
This is why we recommend that you audit all 3rd-party Javascript in your app for accesses to localstorage, and avoid sourcing 3rd-party javascript from uncontrolled origins (the code could be switched out from under you if it is not baked into your application)
The post message model is an interesting one - we looked into designing Hedgehog in that way, but decided it ultimately did not help solve this issue and created unnecessary complexity. If you include Javascript from libraries or other origins on your page, eg. Google Analytics, that Javascript could still post-message into your iframe.
Perhaps we are wrong here though! Is FinneyFor open-source? Would love to see how this is implemented.
xrd|6 years ago
Auditing the source code of all libraries is a tall order. And, even if you don't find a bug, there still might be some that someone else could exploit with bugs in your code and the js libraries.
Finney For is not open source.