Javascript Art is in the URL

[Alexander Reben] makes tech art, and now he’s encouraging you to do the same — within a URL. The gimmick? Making the code small enough to fit the data portion of a link. And to help with that, he has set up a webpage that uncompresses and wraps code from the URL and inserts it into the HTML on the fly. His site essentially applies or un-applies all the tricks of JS minification in the URL, and turns that into content.

So, for instance,https://4QR.xyz/c/?eJzzSM3JyVcIzy_KSVEEABxJBD4 uncompresses to a webpage that says “Hello World!”. But the fun really starts when you start coding up “art” in Javascript or HTML5. There are a few examples up in the gallery right now, but [Alexander] wants you to contribute your own. The banner is from this link.

Something strikes us as fishy about passing JS code opaquely in links, but since the URL decodes on [Alexander]’s server, we don’t see the XSS attack just yet. If you can find the security problem with this setup, or better yet if you write up a nice animation, let us know in the comments.

9 thoughts on “Javascript Art is in the URL

  1. Well, as long as there is nothing with private cookie/local storage data hosted on 4QR.xyz, the XSS risks do not matter.

    However this could be used to implement some javascript attacks with e.g. links posted on facebook without having to use your own server. But because untrackable/compromised servers are easy enough to get anyway, it doesn’t change the picture much.

  2. Nothing decodes on his server, the whole thing is javascript. Your computer decodes the code itself, his server just serves a standard page with the javascript required to decode the url, it’s the same whatever url you use.
    It’s really really really simple, it uses base64 encoding, really standard stuff.
    There is somewhat of security concern, but it’s exactly like accessing any random page you don’t know anything about, one could easily link to external scripts trojans whatever you can do on a website. So pretty vanilla.

    1. But in this case you KNOW jokers will try to make some ‘art’ available that messes with people.
      And while you might avoid avoid dodgy sites if you trust this one you are open to stuff you would normally avoid.

      I wonder if Google and the like will start flagging this site as risky.

    2. You can include Javascript in links anyway, at least as bookmarklets. Why not do that? The use of a third-party site to do the crucial parts that make it work makes it much less impressive.

      Although the examples there are pretty unimpressive anyway… Never has drawing a few circles so bogged down a computer.

  3. Alex from 4QR here.

    A few comments given the other comments…
    Any html / JS / etc… that a browser can display can technically be encoded into the URL, but anything a browser would block would be blocked here as well.
    Nothing “runs” on the server (it’s on static hosting).
    I’ve tested URL lengths up to 9999 chars long as working in chrome.
    goo.gl, bit.ly ,tinyurl, etc… work with these URLs, effectively “hosting” the generated page on the link shortener. Even twitter will shorten the URL if put in a tweet.
    There are some more examples at https://4QR.xyz/gallery
    I’ve made a little subreddit for sharing links https://www.reddit.com/r/4QRxyz/
    I’ll try to answer any questions here (and add them to the site Q&A if good).

  4. For now, maybe Firefox + NoScript Plug-In? I know, NoScript is far from perfect (at-least ban the default White List in NoScript). I rarely allow scripting on any sites my browser visits. Hint HaD: The day you saddle us with layers of mandatory scripting on your site – we’re GONE!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s