html5bytebeat icon indicating copy to clipboard operation
html5bytebeat copied to clipboard

Published 20 hours ago verified publisher icon greggman

js code can access the global scope and do anything

Open SArpnt opened this issue 9 months ago • 3 comments

try it out

function(){this.document.location='/'+'/youtu.be/oHg5SJYRHA0'}()

if you ran the js code in an audio worklet like my site does, you wouldn't need all the text filters and monkey patching, it would be far more secure, and it would be far more efficient.

SArpnt avatar Apr 24 '24 01:04 SArpnt

The code for audio is already run in an audio worklet. The code for some visualization is not. Not sure when I'll have time to deal with it. I'm not super worried though. The site itself has nothing to steal. It's not site with accounts or logins or data.

I mean, you can also do this

greggman avatar Apr 25 '24 16:04 greggman

The code for audio is already run in an audio worklet.

ah, i hadn't checked it recently, last i checked the website used some older audio api that ran in the main thread, and i assumed this hadn't changed because document and other such variables just aren't available in a worklet.

personally my issue with it is that the urls can be misleading (what looks like it should just play some sounds can actually do just about any network requests before you can even react) and that it could likely be used to cheat in competitions, for example, by fitting a network request into some highly obfuscated code to load extra code that extends the length of a song. there's also almost certainly increased attack surface to take advantage of browser security issues.

even without any malicious intent, i'm fairly sure that running js in the main thread makes it much easier to freeze/crash the browser (i really do not want to go about testing various methods for that right now)

EDIT: i looked at some other bytebeat websites and did manage to accidentally test that. it is absurdly easy to freeze the browser.

to be clear, i'm just listing reasons, i don't really consider it high priority either. honestly i would rather be able to eventually pull some kind of prank using a buggy bytebeat player when i have a good idea and the patience to pull it off

SArpnt avatar Apr 26 '24 04:04 SArpnt

I think it's fixed so the 2 visualizers that used the expressions locally, no longer do, I had to hack a bunch of stuff but cross my fingers it's not broken.

Screenshot 2024-04-27 at 11 30 08

Might need to clear your cache for the newest code

greggman avatar Apr 27 '24 09:04 greggman