upvote

points

by kvdveer18 hours ago |
comments
upvoteby lmm18 hours ago|
next
[-]
> advertisers will just require that you compile their library into the first party js code, negating any benefit from such a security model.

It will become harder for advertisers to deny responsibility for ads that violate their stated policies if they have to submit the ads ahead of time. Also site operators will need a certain level of technical competence to do this.

reply
upvoteby miki12321117 hours ago|
parent|
[-]
More likely, advertisers will need you to insert a "bootloader" that fetches their code and passes it to eval().

Alternatively, they might require you to set up a subdomain with a cname alias pointing to them (or a common CDN), negating any security benefits of such a practice.

reply
upvoteby thepasch15 hours ago|
parent|
[-]
> More likely, advertisers will need you to insert a “bootloader” that fetches their code and passes it to eval().

Sounds like legal precedent waiting to be set. “Run our code so that it looks like your code, acts like your code, and has all the same access as your code” seems like it should be a slam dunk if said code ends up doing a Very Bad Thing to your visitors.

But of course that’s assuming common sense, and the law’s relationship with that isn’t always particularly apparent.

reply
upvoteby ImPostingOnHN11 hours ago|
parent|
[-]
There is already plenty of precedent for real-time-served ads which are annoying, or malicious, or install malware; or outright exploit vulnerabilities in the browser.
reply
upvoteby Ma8ee17 hours ago|
prev|
[-]
The advantage would be that I know beforehand, and have the opportunity to test and, possibly, reject, what the advertiser want me to send to someone’s browser.
reply