For example, Google considers that the use of methods such as document.cookie, document.write, onmouseover and window.eval are, from the security perspective, "bad practices" rather than "best practices". It points out that attackers can exploit these methods to attack the browser. The DOM Snitch extension detects such calls in the source code and then displays them in a list marking the severity of the problem with traffic light style indicators.
DOM Snitch has three modes; standby, passive and invasive. It uses a number of techniques to detect the calls – method overloading, prototype hijacking and redefining getters and setters – to note the changes; in invasive mode, it will halt execution to allow testers to change the data before continuing. Google does not, however, make any suggestions on how to remove the risky functions from scripts.