#1: Network Adversary
Addressed by secure communication protocols (+ network security)
#2: User visits adversary’s page
Variants:
- Attacker gets the user to click a link, e.g. one that adds an item to their shopping cart.
- Attacker gets the user’s browser to request a link
#3: Adversary is a third-party
<iframe src="https://third-party.com/widget"></iframe>
Note that an adversary script being embedded directly, e.g. through a <script> tag is not a threat model!