New idea for an ad blocker: Injecting Polyfill script tags into site

"Isn't NPM the same? There are a million who-knows-whats in my module directory. It took 30 minutes just to delete dependencies that depend on dependencies, a million times over.

15:45 the reason they didn't pin it to a specific hash is the most dangerous thing about pollyfill, it changes based on user agent. Each user may be served a different js file, so you can't pin the script to a specific hash. They give full control of what may be PAYMENT PAGES to a script that randomly changes BY DESIGN! Don't embed things like pollyfill, even if you don't have evidence of it being compromised.

Working in one of the largest bank of Australia. I told my manager about this polyfill thing he was still not convinced after your tweet . Now sharing this video to him. Reason being i am having 2 yrs if experience while he is industry for last 15 yrs.

Its wild that they got the github repo too? Like idk that seems weird.

Damn. I had no idea. Terrifying knowing how when repos like Polyfill are bought by different companies, they can do what they please with what they own, whether for the good or not. In most cases, the company that takes over has good intentions, but in the case of Polyfill, it's clear that this wasn't the case.

You passed over nintendo in that list, holy f u c k

Using non-checksumable external libraries is a terrible idea? Who would have thought!

Moral of the story: self-host everything, don’t rely on anything external. Even for something as harmless and innocuous as a CDN like JSDelivr, there are implications. What if JSDelivr is down the day your site goes viral, to name one example?

I struggle watching content where the person is just reading lines from an article. It's like the most lazy form of content generation ever. This entire video could have been summed up in 60 seconds or less.

To be fair: even before Chrome, Firefox had already put significant pressure on Internet Explorer, Safari and Opera to embrace standards (although to be really fair, IE was the only real problem child). Chrome was just doing what Firefox already started but with the leverage of better UX and more marketshare. I am glad they killed the old web.

And this is why I never deploy production code that calls a third-party CDN. If you're doing that, you are trusting that third party to send you the script you're expecting every time someone loads the page. But they absolutely could send you literally whatever they want instead.

I would expect the Cloudflare status page to be running outside of their CDN infrastructure to keep it available during outages so it isn't entirely surprising that they came up with an easy way to avoid the issue and forgot to apply it to that separate part of their systems. It should definitely be on a bunch of checklists now though so that nobody will forget about it for a while.

6:15 I love the TOS going "Oopsies, we may give you a virus, we cant know for sure!!,1!! Plz check urself for any viruses we may or may not have put on your website!!!111!,"

I love how the thing says JSTOR is being affected by the polyfill hack and you're like "cool, let me go open that right now".

so as a new new dev I'd been wondering for a while about the security of CDNs and cross-site linking which, back in the day was almost exclusively an attack method, that I keep being instructed to use. Is the benefit of not serving a 20kb css or js file yourself really worth it?

6:20 are they suggesting developers to embed an antivirus on their website?

Where does Theo gets his shirts? They look terrific

Using polyfill and other libs like unpkg and jsdelivr has always been really distasteful to me. Literally bundling arbitrary code that can be swapped out during prod. Of course there are mitigations, but just bake in the libraries you need into your own application...

What? You mean just tossing in the cdn script isn't the best idea?!?!?!

For the cloud flare status page, I'm assuming they can't serve that page using their caching/rewriting layer - if there's a problem with the core service and the status page is proxied by it, nobody would be able to view the status.

I was visiting few sites last month and i was being redirected to a betting site. I thought I clicked some ad 😮

Don't name your project/library something that would be a valid web domain. Especially not if you don't even own said web domain.

The way I snickered when you @'d hulu.... that is rich lol

I thought it was obvious to NOT load scripts from external sites for security reasons, guess I was wrong.

If i throw the polyfill url into my adblocker I should be fine right? like if my client refuses to fetch it, then surely I am protected? Too bad Chrome Manifest V3 is going to kill this functionality

SRI integrity hashes should be used when loading all external scripts.

I can't believe these huge sites are using dynamic content delivery like that. I know its a thing but for like an actual production site it seems insane to just be like "yeah go get whatever javascript comes from this link". Nuts not to pin a version and send it from your own server...

I've been saying this for years but nobody cares. This is the same with pretty much all popular programming languages. Unless every package is carefully vetted, which it isn't

Malicious companies do the same thing with browser extensions. They give the original team a ridiculous amount of money to buy the extension, then sever malware through it.

The only good thing about this is that it could have been much much worse and gone undetected for even longer.

Crap like this is why I run the NoScript browser add-on and only selectively allow JS to run on my browsers.

Me watching this with Hulu paused on the side: 👁👄👁

well, this is the second attack of such scale on open source community from chinese and affiliated parties

Whenever I run "npm install" my heart skips like 10 beats. You could pull malware at any given time and let's be honest it's almost impossible to know.

This is why the script tag has an integrity attribute if you are smart enough to know how to use it.

Supply chain problem... people adding 500 dependencies to their program. Life going as normal LMAO

Many of such supply chain attacks are often avoided by using a specific, static version of an NPM dependency. But I guess, in this case, the theoretical use case for that "tool" didn't allow for that too much.

Chat GPT is using this Library. I tweeted at them please complain to to them too.

I use theos videos to know the news and then search another, more succint video to actually see the content how can a great creator reach this trash

We should just copy the script and put it in our own repository.

that’s why i host my own CDN.

Never remote load a resources where you don't solely own the remote host. If you need to use a remote resource, download it, and upload it to your own CDN. You must, must, verify the libraries you use.

"Trustworthy alternatives" Lists two US companies. Yeahhh... I wouldn't call any company that can be court ordered to spy on me trustworthy.

This is why I don't use polyfill, this is why I block polyfill via no-script... But seriously, a lot of web developers need to learn IE9 does not exist anymore.

It’s crucial that you use the integrity attribute with a hash of the JS code on all your external script tags to protect against attacks like this! You still need to verify the safety whenever you add or update any external dependencies, but at least this prevents malicious third parties from changing the code under you.

The real question is who is the person that sold it to this Chinese company?

Shouldn’t browsers block polyfill domain at that print?

As soon as I saw "pwn'd" I thought of roblox I hate myself

I'm not seeing this get asked anywhere, so maybe my ignorance is showing. If the URLs where the scripts are being loaded from are the domain in question, and the polyfil project people say they never owned the domain nor were responsible for it's sale - How was it even being used to source files from? How would the A record -> IP address link work if they didn't have ownership of the domain in the first place? And if it were never owned by them, why use a domain they didn't own, in their scripts?

Making websites work in IE7 is very important ... imagine the revenue and wisdom this demographic has to offer!

Should've rewritten it in rust.... wait, the service is already written in rust. Doesn't that mean rust is insecure? /j

Why are people so dumb? Yes, let's just make remote web requests from our website to another website with this magical script tag. Nothing could _ever_ go wrong with that! I just ran a quick code search and found ZERO usages in my code. That's because I have a policy of first-party hosting of any third-party libraries but I also tend to just write my own code, so I would probably never use this trash in the first place. I also vet the code I use by looking at it first instead of just blindly using something that sounds good/looks cool. Everyone who got pwnd here deserve what they get for being LAZY developers. Learn how to develop software correctly and this won't ever happen to you.

Let's be real here, the entire JS ecosystem(and Python and a lot of other languages as well) is horrible for this exact reason: They don't make it easy to program without trusting many, many (untrustworthy) people. This is mostly due to the developers not wanting to write simple, common functions, and instead rely on external third parties. Have fun with your millions of lines of code and hundreds of people in your TCB for a f'ing UI library or whatever that you don't even need, just to not implement a few very simple functions. Did you know computer double in performance every so often? You can't tell? Well, you can't tell because the average developers get worse at the same rate.

Morale of the story... If you actually care about open source, and the internet don't sell off your dead project to a chinese developer

Hell shit balls, I got hacked 1 year ago because of the same shit; I report it i didn't know it will go viral lol

Not to offend you but do you ever get comments that you look like Jerry Attricks from Scott the Woz in your thumbnails

okay, but heres a question.. you say these sites pointed to the cdn polyfill domain but if this domain DIDNT exist before, why did they add the domain to their page?

Wait, a dude created a service, and all of a sudden he's not the owner? I understand it was most likely a group effort, albeit that should be noted in the repo for such cases where a threat actor could obtain a github account and the domain. This just seems like a weird way to go about this.

4:18 Oh no... how terrible.... Oh no. That one's probably a useful feature. "Academic research", my ass.

imagine doing web dev where your tetris depends on 60 other packets that you have no power over it... and then call yourself a developer XD couldn't be me

I still have to leave before I get an aneurysm...

I’m so done with js

javascript was a huge mistake. we need HTML patch jobs, like json patches. instead of AJAX.

Why do any of these companies load scripts directly from random cdns instead of self-hosting to begin with? Idiotic.

But what does this do to the end user?

I think a more secure method of using third-party scripts would be to first redirect them to a "center-point," which is essentially a file on your website that serves as an import for the scripts. You can then link that file to all of your pages instead of directly linking to the script. This way, if you notice any security breaches, you can simply remove or replace the single import file rather than spending a lot of time changing it on every page.

Why those guy are doimg everything to violate the worlds privacy? I swear most of the times they are behind those

Couldn't you use something like a Pi-hole to block all traffic to the Polyfill website on your network to protect yourself? I think you could do this with the hostfile too, but you would need to do that on every device.

Thats why i allways self host this scripts

The ability of a website to load a script from anything it does not directly control was always going to get us into trouble. Just look at how many 3rd parties are accessed by a typical website. It's insane... and web developers and frameworks that encourage this model are at fault. Unfortunately fixing the problem is going to be very hard. Unscrupulous ad companies are even starting to force websites to add cname records so their scripts can "appear" to come from the first party! The only solution here is to make things much stricter: - Restrict script tags such that they must be served *from the same IP* as the primary page. No exceptions. No DNS bypasses. *SAME ORIGIN BY IP* or your script is blocked. - The HTML must embed a hash of the script it is going to load, and that hash must match or the script will be blocked. - If a website communicates with a 3rd party domain, each individual domain will be presented to the user in a list to be approved. Will this break a *ton* of sites? Yes. Do they deserve it? Absolutely yes. Is this proposal practical? Of course not, but anyone who is honest about the state of the internet will agree that what we're doing now can't continue.

So this is all Jake Champion's fault. I wonder how much he sold for?

Simply put, once one adds a tag to a 3rd party , it has full control over that website Since Javascript can modify everything with DOM manipulation and by Overriding/Overloading Event Listeners One may use 3rd party scripts to speed up development, local copies of said script if possible. Then, later on, drop those dependencies one by one. If not, they will eventually turn into vulnerabilities that create security and service issues.

For Christ's sake. If you really think it's a great idea to depend on scripts (or any other resource) from an external CDN, at LEAST use checksum validation! Everybody and their mum knows that.

Every day theres some new fuck up in the web dev sector. Its time to reset this twisted game.

People that include resources from servers they don't own in their websites actually don't deserve better. No mercy! I the EU it's actually forbidden by law unless you explicitly mention that in a disclaimer AND the visitor of the website has actively opted-in because you also send the website's visitor's IP to that third-party server.

Ive always thought running turing complete code in browser was a mistake. Can you imagine going back though? I gladly would, but it aint gonna happen. Itd be the death or upheaval of entire industries. In my mind, itd be worth it. I mean, we might lose social media, and a lot of addictive algorithms. Oh the humanity.

rule #0 of importing 3rd party libraries: download a snapshot and use your own distribution rather than the 3rd party link. sure, I still sometimes use jquery. but I downloaded the source that worked when I wrote it. breaking changes and security risks avoided

Cloudflare's polyfill is unfortunately slow. Fastly's hosted version is a lot faster. And with Cloudflare's latest nightmare PR I'd probably steer clear of them.

It’s worse than Theo suggests. Thanks to the same-origin policy, third-party scripts can crawl any URL on your server as the authenticated user.

Can someone please give me tips on how to change this library on my project?

Could it be that Cloudflare Status was explicitly not using the Cloudflare-hosted library, so that it is still available during Cloudflare's downtime?

The real question is who owned the domain and sold it to the chinese governement?

This is why you should never embed an external package, ever. Instead, if you need the script for what you are doing, host it yourself.

this just feels like xz again. random thing everybody uses but nobody cares abt or pays attention to gets compromised, chaos ensues.

I always thought that using scripts from an external source was a bad idea. if you want to use the script, host it yourself. At least then you can scan the code and pin yourself to a specific version

What about those third party sites as well fake google analytics name? and the free host paste pin for codes.... I feel sad...

did he disable javascript before visiting hulu?

Who was using remote CDN for thing like this is just stupid. Use package manager omg.

ad networks put js on your site that comes from whoever has paid enough for a designated consumer profile.

one of the reasons I import the libs i wanna use and bundle them. never sat right with me to use cdn for my sites functionality

CDNs are fine, as long as you use the integrity attribute in your tag (at least for now...)

Can confirm they are still using polyfill

Same shit happened with Faker for PHP, if you generate in image, the domain changed owner.

wait this was a month ago? are all of the sites still compromised?

Just another reason to use an adblocker like ublock origin.

Hey, you need to say 'nerds' at the end! Do not be so lazy! :)

its probably too late already and they got a bunch of info.

So now companies from China are doing the same thing as the companies from US, things are getting interesting.

This is terrifying… I guess I know the first thing I’ll do at work today (check if we have it even if I think we don’t)