Malicious JavaScript

Evil user stories

As a state actor, I want to seize a heavily used CryptPad server and serve malicious JavaScript because I can actively collect the keys to every document when users visit the site.

countermeasures:

• Verified client