AllowCode -Option in Hubzilla

Hubzilla connected people. Workshop
AllowCode is a per channel permission granted by the admin. If I understand it correctly (and I don't fully yet) it is dangerous because it allows a channel to serve JavaScript that could in principle hijack another account. For example, if someone is authenticated to your hub and has a browser cookie from with their session key, then JavaScript downloaded from the same domain is assumed by the browser to be trusted; but if your channel can serve JavaScript, then you could access their browser cookie and send the contents to wherever you want and use the session cookie to authenticate as the person who visited your webpage.
Cite from

#AllowCode #PayPal #JavaScript #cookie #session