Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

js code can access the global scope and do anything #42

Closed
SArpnt opened this issue Apr 24, 2024 · 3 comments
Closed

js code can access the global scope and do anything #42

SArpnt opened this issue Apr 24, 2024 · 3 comments

Comments

@SArpnt
Copy link

SArpnt commented Apr 24, 2024
edited
Loading

try it out

function(){this.document.location='/'+'/youtu.be/oHg5SJYRHA0'}()

if you ran the js code in an audio worklet like my site does, you wouldn't need all the text filters and monkey patching, it would be far more secure, and it would be far more efficient.
@greggman
Copy link
Owner

greggman commented Apr 25, 2024
edited
Loading

The code for audio is already run in an audio worklet. The code for some visualization is not. Not sure when I'll have time to deal with it. I'm not super worried though. The site itself has nothing to steal. It's not site with accounts or logins or data.

I mean, you can also do this

@SArpnt
Copy link
Author

SArpnt commented Apr 26, 2024
edited
Loading

The code for audio is already run in an audio worklet.

ah, i hadn't checked it recently, last i checked the website used some older audio api that ran in the main thread, and i assumed this hadn't changed because document and other such variables just aren't available in a worklet.

personally my issue with it is that the urls can be misleading (what looks like it should just play some sounds can actually do just about any network requests before you can even react) and that it could likely be used to cheat in competitions, for example, by fitting a network request into some highly obfuscated code to load extra code that extends the length of a song. there's also almost certainly increased attack surface to take advantage of browser security issues.

even without any malicious intent, i'm fairly sure that running js in the main thread makes it much easier to freeze/crash the browser (i really do not want to go about testing various methods for that right now)

EDIT: i looked at some other bytebeat websites and did manage to accidentally test that. it is absurdly easy to freeze the browser.

to be clear, i'm just listing reasons, i don't really consider it high priority either. honestly i would rather be able to eventually pull some kind of prank using a buggy bytebeat player when i have a good idea and the patience to pull it off

@greggman
Copy link
Owner

I think it's fixed so the 2 visualizers that used the expressions locally, no longer do, I had to hack a bunch of stuff but cross my fingers it's not broken.

Screenshot 2024-04-27 at 11 30 08

Might need to clear your cache for the newest code

@SArpnt SArpnt closed this as completed May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@greggman @SArpnt