How verify id_token from the browser in OAuth2?

I have been dwelling into OAuth2 and and OpenID Connect for Authorization flow. And I’m still a bit confused.

I do understand that during the code exchange for an access token the user receives an access_token and on top of that also an id_token. The ID token has personal information like email and username amongst other things.

My main questions

  1. How will the browser be able to verify the ID token? Will the frontend need to be shared the signature key ahead of time?
  2. Does having the id_token mean that session cookies become obsolete in the application? Is it safe to treat them as the same?

Can a system administrator check if their website is being scraped by a headless browser?

A recent article on scraping tiktok and Facebook states:

On the one hand running selenium headlessly is perfect to keep your machine “cool”, however it may help get you flagged as a scraper. System administrators can spot a headless request with ease.

The author uses a random User-Agent for each request, so I’m not sure where the logs would indicate that a headless version of a browser making the request. Are there any specific signatures to detect a headless browser?

Good faith effort on the question:

With foresight, it looks like one could check make a check for things like webdriver version (which can be spoofed too). However, by stating sys admins, the quote seems to imply that the logs themselves are sufficient to detect a headless browser.

Browser setups for stay safe from malware and unwanted stuff

I have to setup a browser to surf the internet trying to stay safe from malware as much as possible(i already know that there’s no way to stay safe at 100%)

My idea is: use Firefox with this extensions: Adblock Plus, uBlock Origin, HTTPS Everywhere and mostly NoScript Security Suite. I also thought to clear cache when Firefox is closed(https://superuser.com/questions/461574/does-clearing-the-browser-cache-provide-real-security-benefits).

But since I’m not an expert, i searched on the internet infos and i read this: https://security.stackexchange.com/a/27957 and he said:

disabling JS should not be considered a silver bullet for browser security

and

Take into consideration that NoScript will also increase the attack surface

Before reading this, i was pretty sure that No Script would have been enough to make browser very very safe. But now I’m wondering if there are safest ways to secure the browser, and now i have these questions:

Is my idea good? If so, what can i improve?

Should I use Chrome instead of Firefox? (I read this https://security.stackexchange.com/a/113 so i’m asking it)

Are the extensions that i mention above good?(i know that both Adblock Plus and uBlock Origin block more or less same ads, but i prefer to keep both. Browser performance is not a problem)

is there any other extension that I should install?

there is some other browser setting that i should enable/disable (such as the option to clear cache when Firefox is closed)?

I already know basic rules, such as update browser and OS, don’t open unsafe link etc etc. I would like to know advanced tips. I know that it also depends on the operating system and other stuff, but in this topic i would like to talk about the browser

PS: I know that instead of No Script I could just disable global scripts from browser settings, but i like the way i can allow a script in a site, because some sites could not works without a specific script

PPS: Sorry for my bad english

Is Google(Not just Google?) session hijacking possible within the browser?

The following Youtube video talks about Google session hijacking starting from Gmail.

I generally believe that hacking(in modern browsers, excluding short-term criticial bugs) is not possible to be initiated by the owner of a website, otherwise the web would be very dangerous.

There are 2 points in the video that I am skeptical about. Are the following possible(providing any important information)?

  1. Clicking a link in Gmail can lead to a Google session hijack.
  2. Downloading a file, may lead to it being executed in the background.

Need help converting template to mobile browser template.

I need little help converting this attached template file to a template which can be used in mobile browsers also.

All I need is 2 things,
1. proper font sizes so users need not zoom to read on mobiles,
If its possible, font adjusts automatically on laptop screens and does not appears too large.
What font size settings should I use?

2. and the design stretches from left to right automatically so that I can make use of available space.
I do not want the webpage to go beyond horizontal…

Need help converting template to mobile browser template.

Is it normal that the service WMI Performance Adapter always starts when launching Chrome browser? Whats the reason

Is it normal that the service WMI Performance Adapter (WmiApSrv.exe) always starts when launching Chrome browser? Whats the reason?

I have heared this service can be maliciously used to “communicate” through the internet via open ports?

When I forcefull end this process in the taskmanager, Chrome keeps running perfectly, without issues.

Could it be that this WMI process is needed because one of Chrome’s features called “Conceal local IP addresses with mDNS hostnames”?

Thanks!

Browser copy function overridden silently, is this security risk?

I came across a site which overrides copy functionality and injects current page url as paste value. I was trying to select couple of words and instead it copied the page link. Simple developer tools inspection showed event getting overridden with following function

 window.addEventListener("copy", event=>{     const selection = document.getSelection();     event.clipboardData.setData("text/plain", window.location.href),     event.preventDefault() } 

While in this case, it’s annoying but harmless, I’m wondering if it’s good idea to allow user intentions changed without any warnings to the user. Even the test code from mdn copy event allowed me to change to random text without any warning. Basically I’m trying to copy “abcd” to clipboard and browser does copy “wxyz”

Wondering if hackers can takeover this functionality and copy their choice of links or data on clipboard especially when browsers did not seem to be warning you that text you selected and tried to copy has been modified.

I have tried this on latest versions of Firefox and Chromium available on Ubuntu 18.04 and none of the browsers warned me anything.

Should I use HTML5 canvas for a 2d image browser game / app?

Ok, I hope this hasn’t been asked, but I could not find one, especially nothing recent.

Quick Background: I’ve been away from programming for a couple of years and dusted off an old project to create a browser game that is already quite functional and I would like to complete, but actually as an IOS / Android app instead of a desktop browser game.

Current Technology Used: CodeIgniter framework, PHP, SQLite, Javascript / JQuery (and obviously HTML / CSS)

Very Basics of the Game: The game itself is basically a civilization build an empire type game. The game area is a background image inside of a DIV element with spaces to build things. Once “built” the buildings are isometric images that are absolutely floated with CSS and aligned over top of the background to appear where they were built in the city. I think that paints the picture, but basically those “buildings” (floated images) are also links that open up additional dialogs and give more game functionality.

Example of game layout

My Question: Keeping in mind that other than aligning the images properly over the background image, all of the images in my game are static.

  • Should I actually be using an HTML5 < canvas > element for this task?

  • Also does the UI get wrapped in the canvas too? (that’s maybe a separate question)

  • Should I use a html5 framework to work with the canvas?

  • Does any of this change if my goal is to publish on IOS / Android instead of desktop browser experience (I.e. apple review process)?

Or are both of these methods just the complete wrong approach? hah. I hope I’ve kept this as clear as possible and thank you for your time and input!!

P.S. I should also say my current strategy is to just keep programming it as a browser game (checking chrome dev tools to see how it looks on phone) and assume I can wrap it later. But if that’s wrong I want to get ahead of it.