i read it twice and i still don’t understand the article.
is this site complaining about 3rd party analytics?
there is also a table further down that shows various banks sharing data with… themselves? citibank will share data with citibank, and first direct (aka hsbc) will obviously share data with hsbc.
can someone explain what this article is actually about?
> i read it twice and i still don’t understand the article.
Any recommendations to improve are welcome
> is this site complaining about 3rd party analytics?
If a bank page includes a script tag that loads third party JavaScript from a non-bank server, then what is to stop that script from capturing data, submitting forms, spoofing page content?
The bank has effectively given these third parties unaudited remote access, via remote code execution, to consumers bank accounts.
A bank can safely use third party analytics if they adopt appropriate security measures, SRI is likely be one, but alone might not be enough.
In the cases found here, there is no SRI protection or similar to protect users from the third parties doing what they like on the page, acting as customers.
> there is also a table further down that shows various banks sharing data with… themselves?
This is oddity due to the test suite spotting JS from a a separate domain for the same bank ( https://gitlab.com/markalanrichards/access-test/-/blob/main/... ): thank you for highlighting this and when I get time I hope to improve this I hope to filter it out.
is this site complaining about 3rd party analytics?
there is also a table further down that shows various banks sharing data with… themselves? citibank will share data with citibank, and first direct (aka hsbc) will obviously share data with hsbc.
can someone explain what this article is actually about?