I know that on the server side it's very bad to display system-level errors instead of logging them to disk, because it could expose potentially sensitive information, but do the same concerns apply to client-side languages like JavaScript?
e.g.,
try {
foo();
} catch ( exception ) {
if ( window.console ) {
console.log( exception );
}
}
Since everything is already accessible to the browser/user, I can't think of real problems.
The only thing I could find on the web was one example of outputting a password on a login form:
But the troublesome thing is that there may be an easy temptation to console.log() something very sensitive, like console.log(password_entered). [...] the fact that they obviously have a process in place which does not properly filter out [temporary debugging output] means that at some point they may accidentally expose something they would otherwise not want to (or their users wouldn’t want!).
I'm as paranoid as the next guy, but that seems a bit silly. Even in an extreme case like a password being exposed, wouldn't an attacker who was able to view it already have all the access they need? Or am I overlooking something?
Aucun commentaire:
Enregistrer un commentaire