Readit Newsand now i see lodash is a dependency.
regardless of that, they will have to up their seo game if they wanna outrank...
The ship has now sailed, but I still think it's worth pointing out that it is Javascript's security model that is broken by design, that XSS vulnerabilities are the result, and the same origin policy is an incomplete workaround as illustrated by the article. This becomes clear when you consider that userdir URLs pre-date Javascript.
The public suffix list is yet another incomplete workaround for the security flaw in the same origin policy (that "same origin" isn't a concept that can be clearly defined).
The modern web stack is a security house of cards, as demonstrated.
is this a js problem?
Projects large enough to require sophisticated MEP design require that the the design be engineered by a qualified professional who is individually responsible for health safety and welfare. This is not an artifact of modern guild cultures. The principle of personal builder responsibility goes all the way back to the code of Hammurabi.
I've been and iOS developer for a long time. I can tell you from experience that everyone does this. I have never worked for anyone who didn't ask for their app to include some combination of Facebook, Google, Flurry, AppCenter, Segment, Intercom, Parse, or whatever other random analytics framework the PM happens to be infatuated with.
Getting mad at Zoom for using the Facebook SDK is missing the point. They and a million others are always going to be doing this. Get mad at Apple for not letting you wireshark your own iPhone. Or having no way to package open source software where you can actually see what's running. As long as you're running binary blobs that can make whatever network connections they please, people are going to take your data and send it to places you don't know about.
Yeah maybe you can pass laws about it. But is that really a great solution? Who audits that? How do you determine what's legal and what's not? We should be pushing for a platform that makes it obvious what the software you're running is up to. The random pitchfork crusade against whatever company happens to catch a bad news cycle just isn't going to get us anywhere.
Parents were always the primary enforcement mechanism for doing homework, what would the school do if a kid was getting all Fs because they didn't care? The most a school can do is force kids to be quiet, and even then if the kids refuse to be quiet the school can't punish them - a child that does not voluntarily submit to punishments like sitting and not talking can only be sent home.