JavaScript

cross-posted from: https://gregtech.eu/post/14912399

cross-posted from: https://lemmy.world/post/31859998

Please see the cross-post as it is updated.

As a security-conscious user, I've used NoScript since Firefox's early days, but its restrictive nature has become frustrating. I'm often forced to go unprotected just to access websites with multiple scripts running on different domains, which defeats the purpose of using NoScript and balances security and usability that it once provided.

Is there a way to block browser JavaScript from executing commands that retrieve sensitive information from my local machine, while still allowing JavaScript that is only used for rendering web pages?

greatly appreciate any insight

cross-posted from: https://lemmy.world/post/31859998

Please see the cross-post as it is updated.

Introducing Dim – a new framework that brings React-like functional JSX-syntax with JS. Check it out here:

🔗 Project: https://github.com/positive-intentions/dim

🔗 Website: https://dim.positive-intentions.com/

My journey with web components started with Lit, and while I appreciated its native browser support (less tooling!), coming from ReactJS, the class components felt like a step backward. The functional approach in React significantly improved my developer experience and debugging flow.

So, I set out to build a thin, functional wrapper around Lit, and Dim is the result! It's a proof-of-concept right now, with "main" hooks similar to React, plus some custom ones like useStore for encryption-at-rest. (Note: state management for encryption-at-rest is still unstable and currently uses a hardcoded password while I explore passwordless options like WebAuthn/Passkeys).

You can dive deeper into the documentation and see how it works here:

📚 Dim Docs: https://positive-intentions.com/docs/category/dim

This project is still in its early stages and very unstable, so expect breaking changes. I've already received valuable feedback on some functions regarding security, and I'm actively investigating those. I'm genuinely open to all feedback as I continue to develop it!

How would one include a passphrase when using the web crypto API when working with asymmetric encryption. I was able to figure out how to do asymmetric encryption without a passphrase using the web crypto API and was able to figure out how to do asymmetric encryption using the crypto library in NodeJS.

Asymmetric encryption using Web Crypto API (No Passphrase)

import { webcrypto } from 'crypto';

const MY_TEXT = 'My Text';

(async function () {
	const { publicKey, privateKey } = await webcrypto.subtle.generateKey(
		{
			name: 'rsa-Oaep',
			modulusLength: 2048,
			publicExponent: new Uint8Array([1, 0, 1]),
			hash: 'sha-256',
		},
		true,
		['encrypt', 'decrypt']
	);

	const encryptedTextArrayBuffer = await webcrypto.subtle.encrypt(
		{
			name: 'rsa-Oaep',
		},
		publicKey,
		new TextEncoder().encode(MY_TEXT)
	);

	let encryptedTextUint8Array = new Uint8Array(encryptedTextArrayBuffer);
	const ENCRYPTED_TEXT = convertUint8ArrayToBase64String(encryptedTextUint8Array);

	console.log(ENCRYPTED_TEXT);

	encryptedTextUint8Array = convertBase64StringToUint8Array(ENCRYPTED_TEXT);

	const decryptedArrayBuffer = await webcrypto.subtle.decrypt(
		{
			name: 'rsa-Oaep',
		},
		privateKey,
		encryptedTextUint8Array.buffer
	);

	console.log(new TextDecoder().decode(decryptedArrayBuffer));
})();

function convertUint8ArrayToBase64String(uint8Array) {
	const CHARACTER_CODES = String.fromCharCode(...uint8Array);
	return btoa(CHARACTER_CODES);
}

function convertBase64StringToUint8Array(base64String) {
	const CHARACTER_CODES = atob(base64String);

	const uint8Array = new Uint8Array(CHARACTER_CODES.length);
	uint8Array.set(
		new Uint8Array(
			[...CHARACTER_CODES].map(function (currentCharacterCode) {
				return currentCharacterCode.charCodeAt(0);
			})
))}

I stumbled on the exact same issue described at the end of the "The same issue, but with web platform functions" section today, thought it might be worth sharing that article here.

✍️ Reusable API proxy in just a few lines of JavaScript

For my project Mentions United, which collects interactions from various platforms via API to display them on the own page, at some point I needed a way to hide the authentication tokens required for some APIs from being used by unauthorized parties. You simply don’t leave your security keys lying around in the code, especially not if it’s publicly visible on GitHub. ...