That's right, unless the form was running in Browsix, or I suppose at least the same browsing context (ie same origin on the same browser instance on the same computing device) since you could emulate submission across multiple tabs of the same website using something like the BroadcastChannel API[1]
EDIT: To be clear, this would require effort (TM)- the form would need to have a Javascript onsubmit handler and use preventDefault to stop the browser itself from handling it in order to facilitate that
Neat! Thanks for working on this project and answering my questions.
Perhaps I need to look into it more but what you’re describing isn’t exactly far fetched.
With a csrf attack the victim has navigated to a malicious web app where the cross origin request does originate from the same browser instance where my hypothetical browsix http proxy is running.
Since I control the malicious app, I don’t see why I wouldn’t be able to have an onsubmit handler that proxies requests into browsix.
I’m not saying there’s guaranteed offensive use cases here…it’s just my intuition telling me it’s worth looking into for myself.
My comments aren’t intended as a criticism of your library. If I got a client to navigate to a web app I control there’s plenty of js-enabled damage to be caused without browsix.