Overall, the campaign has been a big success and my colourful console code is now directly depended on by 23 packages.One of those packages is itself depended upon by a pretty widely used package — my cash cow. I’m now getting about 120,000 downloads a month, and I’m proud to announce, my nasty code is executing daily on thousands of sites, including a handful of Alexa-top-1000 sites, sending me torrents of usernames, passwords and credit card details.
As suggested here, you might want to consider having dedicated, lightweight pages for login and credit card collection that are served up in an i Frame.
Amazon has no CSP at all on the page where you type your credit card number in, nor does e Bay.
Twitter and Pay Pal have CSPs, but it’s still dead easy to get your data from them.
They don’t set so I can send your credentials wherever I damn well please.
If you send me in the mail I’ll tell you if my code is running on the Google sign in page.It’s been a frantic week of security scares — it seems like every day there’s a new vulnerability.