Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

So my browser starts loading a page from a link that I haven't clicked. Does anyone else see the potential security nightmare on this scenario?

Drive-by downloads, malware, etc. I totally get the benefits of this mechanism until it starts being abused for tracking and delivery malware, and then add-ons will (hopefully) appear to block this.



What, how is this a security nightmare? What's your threat model? You think I, the website operator, am the enemy? Then I can just window.location you. You think the website operator is hosting compromising links because they've been suckered? But then once you click them you're going to be compromised.

I swear to God, so many HN comments just say "security nightmare" for everything.


It's no different than any other javascript enabled browser + web page.

The modern web is pulling in the background all the time.

You'd have to go back decades for 1 click to equal 1 GET.


Funnily enough, HN therefore seems to be a time traveler from decades ago :)


7 requests per page load. No, I don't think so.


None of which are javascript-triggered.


The preloaded page won't get rendered until you click on it. Assuming that malware activates only by rendering, not simply by downloading, this seems safe.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: