joule-extension
joule-extension copied to clipboard
Published
20 hours ago •
joule-labs
joule-labs
Ratelimit window creation requests
Description of the Feature or Idea
Ratelimit the speed at which sites can create getInfo()/sendInvoice()/makeInvoice() requests if they require opening a window (for example, getInfo(), if pre-approved, should not be ratelimited). In testing, a buggy/malicious site can easily open tens or hundreds of windows.
Existing Example(s) of Feature
Here is an example piece of code to trigger the malicious action:
<html>
<header>
<script src="https://unpkg.com/[email protected]/dist/webln.min.js" integrity="sha384-mTReBqbhPO7ljQeIoFaD1NYS2KiYMwFJhUNpdwLj+VIuhhjvHQlZ1XpwzAvd93nQ" crossorigin="anonymous"></script>
<script>
async function alertInvoice() {
var webln = await WebLN.requestProvider();
var weblnbolt11 = await webln.makeInvoice({defaultAmount: "5", minimumAmount: "1", maximumAmount: "10"});
}
</script>
</header>
<body>
<input type="button" onclick="for(var i = 0; i < 15; i++) {alertInvoice();}" value="Click me!" />
</body>
</html>
This should be pretty simple to auto-reject if they call it more than say 2 times per second. Thanks for the test case!
