XSS & Single-Page Apps
I'm researching on web security, and have seen that token based authentication is good for CSRF prevention, distributed system architectures and processing performance.
But another problem is XSS. Not specifically talking about the injection itself, but the libraries. With single-page apps developers normally include hundreds of different modules into their code, which could later on execute maliciously when the app is in production.
Patching XMLHttpRequest
So I had the idea to patch the XMLHttpRequest property and take control of the original "native code" function, preventing third-party code from making ajax requests.
(function () {
// my code
let XHR = window.XMLHttpRequest
window.XMLHttpRequest = null
})()
// load third-party code after...
I tested this in the console with facebook and youtube... all their ajax loaded content stop working.
Malicious Example
An example of uncaught malicious behavior is code that only executes in production by checking if the window.location is something like "app.x.com" so the developer doesn't realize of the ajax requests during development.
Patching the XMLHttpRequest property would prevent this, and taking into consideration that all other mesures were taken to prevent XSS (sanitization), this would close the final gap and let you take control of network requests, preventing malicious code from stealing the auth tokens.
Final Doubt
Are there any caveats to this approach? (security-wise)