What prevents ads from reading my password as I type it?Database field type for password storage?What should I do if I type my password in the address bar, or type password in google search?How much information can be obtained from observing someone type their password?After I downloaded Adblock plus on my computer, ads still popped up on youtube? What gives?Hashing request - What type of hash this?Is always using HTTPS a good idea?What's the most effective type of password?System prevents changing password too soon after previous changeProtecting against input type =“password” changes?What's the risk if I accidently type my password into a username field in a website?

…down the primrose path

The meaning of "scale" in "because diversions scale so easily wealth becomes concentrated"

Getting an entry level IT position later in life

Why is Chromosome 1 called Chromosome 1?

Does a 4 bladed prop have almost twice the thrust of a 2 bladed prop?

If someone else uploads my GPL'd code to Github without my permission, is that a copyright violation?

What is the German idiom or expression for when someone is being hypocritical against their own teachings?

I was contacted by a private bank overseas to get my inheritance

What prevents ads from reading my password as I type it?

Not been paid even after reminding the Treasurer; what should I do?

Why did the US Airways Flight 1549 passengers stay on the wings?

Generate a random point outside a given rectangle within a map

Non-small objects in categories

How to call made-up data?

How does LIDAR avoid getting confused in an environment being scanned by hundreds of other LIDAR?

Can you take actions after being healed at 0hp?

How to make attic easier to traverse?

Why am I not getting stuck in the loop

Why does putting a dot after the URL remove login information?

Does the length of a password for Wi-Fi affect speed?

How important is it to have a spot meter on the light meter?

Only charge capacitor when button pushed then turn on LED momentarily with capacitor when button released

If a vampire drinks blood of a sick human, does the vampire get infected?

Can I enter a rental property without giving notice if I'm afraid a tenant may be hurt?



What prevents ads from reading my password as I type it?


Database field type for password storage?What should I do if I type my password in the address bar, or type password in google search?How much information can be obtained from observing someone type their password?After I downloaded Adblock plus on my computer, ads still popped up on youtube? What gives?Hashing request - What type of hash this?Is always using HTTPS a good idea?What's the most effective type of password?System prevents changing password too soon after previous changeProtecting against input type =“password” changes?What's the risk if I accidently type my password into a username field in a website?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








8















Disclaimer: I have minimal web-dev/security knowledge so please answer with this in mind.



I've heard that web-advertisements need to be able to run their own JavaScript so that they can verify they're being viewed by "real users." As this incident on StackOverflow shows, they're basically given free reign.



I also know that JavaScript can be used to capture keystrokes on a webpage.



So if an ad is placed on a login page, is there something in place to prevent the ad from reading keystrokes to record my credentials? Is reading keystrokes simply not possible from an ad?



If I see ads on a login page should I assume that the page is not safe to enter my credentials?










share|improve this question


























  • It's worse than that. Web performance tools and similar not only read your credentials but they read the credentials you type and then delete. Very nasty. You might be able to get away with not typing, always pasting your credentials. But the javascript has access to your DOM so it can just read every element. The only way to stop that is not to use credentials but to use oAuth and hand you life over to Google. What could go wrong.

    – Unicorn Tears
    9 hours ago

















8















Disclaimer: I have minimal web-dev/security knowledge so please answer with this in mind.



I've heard that web-advertisements need to be able to run their own JavaScript so that they can verify they're being viewed by "real users." As this incident on StackOverflow shows, they're basically given free reign.



I also know that JavaScript can be used to capture keystrokes on a webpage.



So if an ad is placed on a login page, is there something in place to prevent the ad from reading keystrokes to record my credentials? Is reading keystrokes simply not possible from an ad?



If I see ads on a login page should I assume that the page is not safe to enter my credentials?










share|improve this question


























  • It's worse than that. Web performance tools and similar not only read your credentials but they read the credentials you type and then delete. Very nasty. You might be able to get away with not typing, always pasting your credentials. But the javascript has access to your DOM so it can just read every element. The only way to stop that is not to use credentials but to use oAuth and hand you life over to Google. What could go wrong.

    – Unicorn Tears
    9 hours ago













8












8








8


0






Disclaimer: I have minimal web-dev/security knowledge so please answer with this in mind.



I've heard that web-advertisements need to be able to run their own JavaScript so that they can verify they're being viewed by "real users." As this incident on StackOverflow shows, they're basically given free reign.



I also know that JavaScript can be used to capture keystrokes on a webpage.



So if an ad is placed on a login page, is there something in place to prevent the ad from reading keystrokes to record my credentials? Is reading keystrokes simply not possible from an ad?



If I see ads on a login page should I assume that the page is not safe to enter my credentials?










share|improve this question
















Disclaimer: I have minimal web-dev/security knowledge so please answer with this in mind.



I've heard that web-advertisements need to be able to run their own JavaScript so that they can verify they're being viewed by "real users." As this incident on StackOverflow shows, they're basically given free reign.



I also know that JavaScript can be used to capture keystrokes on a webpage.



So if an ad is placed on a login page, is there something in place to prevent the ad from reading keystrokes to record my credentials? Is reading keystrokes simply not possible from an ad?



If I see ads on a login page should I assume that the page is not safe to enter my credentials?







passwords web-application






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 4 hours ago







scohe001

















asked 9 hours ago









scohe001scohe001

1648 bronze badges




1648 bronze badges















  • It's worse than that. Web performance tools and similar not only read your credentials but they read the credentials you type and then delete. Very nasty. You might be able to get away with not typing, always pasting your credentials. But the javascript has access to your DOM so it can just read every element. The only way to stop that is not to use credentials but to use oAuth and hand you life over to Google. What could go wrong.

    – Unicorn Tears
    9 hours ago

















  • It's worse than that. Web performance tools and similar not only read your credentials but they read the credentials you type and then delete. Very nasty. You might be able to get away with not typing, always pasting your credentials. But the javascript has access to your DOM so it can just read every element. The only way to stop that is not to use credentials but to use oAuth and hand you life over to Google. What could go wrong.

    – Unicorn Tears
    9 hours ago
















It's worse than that. Web performance tools and similar not only read your credentials but they read the credentials you type and then delete. Very nasty. You might be able to get away with not typing, always pasting your credentials. But the javascript has access to your DOM so it can just read every element. The only way to stop that is not to use credentials but to use oAuth and hand you life over to Google. What could go wrong.

– Unicorn Tears
9 hours ago





It's worse than that. Web performance tools and similar not only read your credentials but they read the credentials you type and then delete. Very nasty. You might be able to get away with not typing, always pasting your credentials. But the javascript has access to your DOM so it can just read every element. The only way to stop that is not to use credentials but to use oAuth and hand you life over to Google. What could go wrong.

– Unicorn Tears
9 hours ago










1 Answer
1






active

oldest

votes


















11














Nothing prevents ads to read your passwords.



Ads (or any other script like analytics or JavaScript libraries) have access to the main JavaScript scope, and are able to read a lot of sensitive stuff: financial information, passwords, CSRF tokens, etc.



Well, unless they're being loaded in a sandboxed iframe.



Loading an ad in a sandboxed iframe will add security restrictions to the JavaScript scope it has access to, so it won't be able to do nasty stuff.



Unfortunately, most of the third-party scripts are not sandboxed. This is because some of them require access to the main scope to work properly, so they're almost never sandboxed.




As a developer, what can I do?



Since any third-party script could compromise the security of all you personal data, all sensitive pages (like login forms or checkout pages) should be loaded on their own origin (a subdomain is fine).



Using another origin allows us to profit from the Same-Origin Policy.



Note: Content Security Policy and Subresource Integrity could also be used if the third-party can be easily reviewed, but most ad networks couldn't work anymore if you used them.






share|improve this answer



























  • Is there some way a layman like me could tell the difference between a sandbox'ed ad vs. a non-sandbox'ed ad?

    – scohe001
    9 hours ago






  • 1





    @scohe001: Do you know how to use the "Inspect element" tool in your browser? A sandboxed iframe has a "sandbox" attribute. I don't know any easy way to check this without any HTML knowledge unfortunately. :(

    – Benoit Esnard
    9 hours ago











  • @scohe001 This Stylus usersheet will put a super-annoying border around unsandboxed iframes and sandboxed iframes that can run scripts: iframe:not([sandbox]),iframe[sandbox~=allow-scripts]border:10px solid red !important;border-image:repeating-linear-gradient(45deg,red,red 5%,#ff0 5%,#ff0 10%)10 !important;

    – AuxTaco
    9 mins ago













Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f214784%2fwhat-prevents-ads-from-reading-my-password-as-i-type-it%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









11














Nothing prevents ads to read your passwords.



Ads (or any other script like analytics or JavaScript libraries) have access to the main JavaScript scope, and are able to read a lot of sensitive stuff: financial information, passwords, CSRF tokens, etc.



Well, unless they're being loaded in a sandboxed iframe.



Loading an ad in a sandboxed iframe will add security restrictions to the JavaScript scope it has access to, so it won't be able to do nasty stuff.



Unfortunately, most of the third-party scripts are not sandboxed. This is because some of them require access to the main scope to work properly, so they're almost never sandboxed.




As a developer, what can I do?



Since any third-party script could compromise the security of all you personal data, all sensitive pages (like login forms or checkout pages) should be loaded on their own origin (a subdomain is fine).



Using another origin allows us to profit from the Same-Origin Policy.



Note: Content Security Policy and Subresource Integrity could also be used if the third-party can be easily reviewed, but most ad networks couldn't work anymore if you used them.






share|improve this answer



























  • Is there some way a layman like me could tell the difference between a sandbox'ed ad vs. a non-sandbox'ed ad?

    – scohe001
    9 hours ago






  • 1





    @scohe001: Do you know how to use the "Inspect element" tool in your browser? A sandboxed iframe has a "sandbox" attribute. I don't know any easy way to check this without any HTML knowledge unfortunately. :(

    – Benoit Esnard
    9 hours ago











  • @scohe001 This Stylus usersheet will put a super-annoying border around unsandboxed iframes and sandboxed iframes that can run scripts: iframe:not([sandbox]),iframe[sandbox~=allow-scripts]border:10px solid red !important;border-image:repeating-linear-gradient(45deg,red,red 5%,#ff0 5%,#ff0 10%)10 !important;

    – AuxTaco
    9 mins ago















11














Nothing prevents ads to read your passwords.



Ads (or any other script like analytics or JavaScript libraries) have access to the main JavaScript scope, and are able to read a lot of sensitive stuff: financial information, passwords, CSRF tokens, etc.



Well, unless they're being loaded in a sandboxed iframe.



Loading an ad in a sandboxed iframe will add security restrictions to the JavaScript scope it has access to, so it won't be able to do nasty stuff.



Unfortunately, most of the third-party scripts are not sandboxed. This is because some of them require access to the main scope to work properly, so they're almost never sandboxed.




As a developer, what can I do?



Since any third-party script could compromise the security of all you personal data, all sensitive pages (like login forms or checkout pages) should be loaded on their own origin (a subdomain is fine).



Using another origin allows us to profit from the Same-Origin Policy.



Note: Content Security Policy and Subresource Integrity could also be used if the third-party can be easily reviewed, but most ad networks couldn't work anymore if you used them.






share|improve this answer



























  • Is there some way a layman like me could tell the difference between a sandbox'ed ad vs. a non-sandbox'ed ad?

    – scohe001
    9 hours ago






  • 1





    @scohe001: Do you know how to use the "Inspect element" tool in your browser? A sandboxed iframe has a "sandbox" attribute. I don't know any easy way to check this without any HTML knowledge unfortunately. :(

    – Benoit Esnard
    9 hours ago











  • @scohe001 This Stylus usersheet will put a super-annoying border around unsandboxed iframes and sandboxed iframes that can run scripts: iframe:not([sandbox]),iframe[sandbox~=allow-scripts]border:10px solid red !important;border-image:repeating-linear-gradient(45deg,red,red 5%,#ff0 5%,#ff0 10%)10 !important;

    – AuxTaco
    9 mins ago













11












11








11







Nothing prevents ads to read your passwords.



Ads (or any other script like analytics or JavaScript libraries) have access to the main JavaScript scope, and are able to read a lot of sensitive stuff: financial information, passwords, CSRF tokens, etc.



Well, unless they're being loaded in a sandboxed iframe.



Loading an ad in a sandboxed iframe will add security restrictions to the JavaScript scope it has access to, so it won't be able to do nasty stuff.



Unfortunately, most of the third-party scripts are not sandboxed. This is because some of them require access to the main scope to work properly, so they're almost never sandboxed.




As a developer, what can I do?



Since any third-party script could compromise the security of all you personal data, all sensitive pages (like login forms or checkout pages) should be loaded on their own origin (a subdomain is fine).



Using another origin allows us to profit from the Same-Origin Policy.



Note: Content Security Policy and Subresource Integrity could also be used if the third-party can be easily reviewed, but most ad networks couldn't work anymore if you used them.






share|improve this answer















Nothing prevents ads to read your passwords.



Ads (or any other script like analytics or JavaScript libraries) have access to the main JavaScript scope, and are able to read a lot of sensitive stuff: financial information, passwords, CSRF tokens, etc.



Well, unless they're being loaded in a sandboxed iframe.



Loading an ad in a sandboxed iframe will add security restrictions to the JavaScript scope it has access to, so it won't be able to do nasty stuff.



Unfortunately, most of the third-party scripts are not sandboxed. This is because some of them require access to the main scope to work properly, so they're almost never sandboxed.




As a developer, what can I do?



Since any third-party script could compromise the security of all you personal data, all sensitive pages (like login forms or checkout pages) should be loaded on their own origin (a subdomain is fine).



Using another origin allows us to profit from the Same-Origin Policy.



Note: Content Security Policy and Subresource Integrity could also be used if the third-party can be easily reviewed, but most ad networks couldn't work anymore if you used them.







share|improve this answer














share|improve this answer



share|improve this answer








edited 4 hours ago

























answered 9 hours ago









Benoit EsnardBenoit Esnard

9,9426 gold badges51 silver badges56 bronze badges




9,9426 gold badges51 silver badges56 bronze badges















  • Is there some way a layman like me could tell the difference between a sandbox'ed ad vs. a non-sandbox'ed ad?

    – scohe001
    9 hours ago






  • 1





    @scohe001: Do you know how to use the "Inspect element" tool in your browser? A sandboxed iframe has a "sandbox" attribute. I don't know any easy way to check this without any HTML knowledge unfortunately. :(

    – Benoit Esnard
    9 hours ago











  • @scohe001 This Stylus usersheet will put a super-annoying border around unsandboxed iframes and sandboxed iframes that can run scripts: iframe:not([sandbox]),iframe[sandbox~=allow-scripts]border:10px solid red !important;border-image:repeating-linear-gradient(45deg,red,red 5%,#ff0 5%,#ff0 10%)10 !important;

    – AuxTaco
    9 mins ago

















  • Is there some way a layman like me could tell the difference between a sandbox'ed ad vs. a non-sandbox'ed ad?

    – scohe001
    9 hours ago






  • 1





    @scohe001: Do you know how to use the "Inspect element" tool in your browser? A sandboxed iframe has a "sandbox" attribute. I don't know any easy way to check this without any HTML knowledge unfortunately. :(

    – Benoit Esnard
    9 hours ago











  • @scohe001 This Stylus usersheet will put a super-annoying border around unsandboxed iframes and sandboxed iframes that can run scripts: iframe:not([sandbox]),iframe[sandbox~=allow-scripts]border:10px solid red !important;border-image:repeating-linear-gradient(45deg,red,red 5%,#ff0 5%,#ff0 10%)10 !important;

    – AuxTaco
    9 mins ago
















Is there some way a layman like me could tell the difference between a sandbox'ed ad vs. a non-sandbox'ed ad?

– scohe001
9 hours ago





Is there some way a layman like me could tell the difference between a sandbox'ed ad vs. a non-sandbox'ed ad?

– scohe001
9 hours ago




1




1





@scohe001: Do you know how to use the "Inspect element" tool in your browser? A sandboxed iframe has a "sandbox" attribute. I don't know any easy way to check this without any HTML knowledge unfortunately. :(

– Benoit Esnard
9 hours ago





@scohe001: Do you know how to use the "Inspect element" tool in your browser? A sandboxed iframe has a "sandbox" attribute. I don't know any easy way to check this without any HTML knowledge unfortunately. :(

– Benoit Esnard
9 hours ago













@scohe001 This Stylus usersheet will put a super-annoying border around unsandboxed iframes and sandboxed iframes that can run scripts: iframe:not([sandbox]),iframe[sandbox~=allow-scripts]border:10px solid red !important;border-image:repeating-linear-gradient(45deg,red,red 5%,#ff0 5%,#ff0 10%)10 !important;

– AuxTaco
9 mins ago





@scohe001 This Stylus usersheet will put a super-annoying border around unsandboxed iframes and sandboxed iframes that can run scripts: iframe:not([sandbox]),iframe[sandbox~=allow-scripts]border:10px solid red !important;border-image:repeating-linear-gradient(45deg,red,red 5%,#ff0 5%,#ff0 10%)10 !important;

– AuxTaco
9 mins ago

















draft saved

draft discarded
















































Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f214784%2fwhat-prevents-ads-from-reading-my-password-as-i-type-it%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

199年 目錄 大件事 到箇年出世嗰人 到箇年死嗰人 節慶、風俗習慣 導覽選單