Cross-Site Scripting (XSS)

XSS enables a hacker to compromise a website by injecting arbitrary code. This is quite dangerous for a browser-based wallets. Thus, wallets should be run in isolated environment such as browser extensions or iframes so any site using the wallet can be compromised without risking the wallet being compromised. Importantly, embedded wallets should be served from a different domain than their less-secure pages like landing pages and demos, due to the same-origin policies of iframes. Wallets should utilize strict content security policies (CSPs) as well.

Last updated