[hbn]

It's hosted on Github Pages which is just static file serving. And thanks to CORS restrictions I don't think you could phone home.

Unless there's a workaround I'm not thinking of.

[jamespwilliams]

GitHub pages are served with Access-Control-Allow-Origin: *, so the SOP doesn’t apply.

They also don’t set a CSP header, which opens up the opportunity to exfiltrate data by other means, e.g having the browser load an image on your.site/$password.jpg.

[hbn]

Ah right. Simple!

[Sohcahtoa82]

The CORS policy is set by the server receiving the request, not the page/server sending it.

[heartbeats]

Can't you embed off-site images?