undefined | Better HN

0 pointsrezonant4y ago0 comments

That's right, unless the form was running in Browsix, or I suppose at least the same browsing context (ie same origin on the same browser instance on the same computing device) since you could emulate submission across multiple tabs of the same website using something like the BroadcastChannel API[1]

[1] https://developer.mozilla.org/en-US/docs/Web/API/Broadcast_C...

EDIT: To be clear, this would require effort (TM)- the form would need to have a Javascript onsubmit handler and use preventDefault to stop the browser itself from handling it in order to facilitate that

0 comments

rank04y ago

Neat! Thanks for working on this project and answering my questions.

Perhaps I need to look into it more but what you’re describing isn’t exactly far fetched.

With a csrf attack the victim has navigated to a malicious web app where the cross origin request does originate from the same browser instance where my hypothetical browsix http proxy is running.

Since I control the malicious app, I don’t see why I wouldn’t be able to have an onsubmit handler that proxies requests into browsix.

I’m not saying there’s guaranteed offensive use cases here…it’s just my intuition telling me it’s worth looking into for myself.

My comments aren’t intended as a criticism of your library. If I got a client to navigate to a web app I control there’s plenty of js-enabled damage to be caused without browsix.

rezonantOP4y ago

Nah I don't work on this project, but I did stay at a Holiday Inn Express last night.

j / k navigate · click thread line to collapse