[Alexander Reben] makes tech art, and now he’s encouraging you to do the same — within a URL. The gimmick? Making the code small enough to fit the data portion of a link. And to help with that, he has set up a webpage that uncompresses and wraps code from the URL and inserts it into the HTML on the fly. His site essentially applies or un-applies all the tricks of JS minification in the URL, and turns that into content.
So, for instance,
Something strikes us as fishy about passing JS code opaquely in links, but since the URL decodes on [Alexander]’s server, we don’t see the XSS attack just yet. If you can find the security problem with this setup, or better yet if you write up a nice animation, let us know in the comments.
Well, as long as there is nothing with private cookie/local storage data hosted on 4QR.xyz, the XSS risks do not matter.
It’s really really really simple, it uses base64 encoding, really standard stuff.
There is somewhat of security concern, but it’s exactly like accessing any random page you don’t know anything about, one could easily link to external scripts trojans whatever you can do on a website. So pretty vanilla.
But in this case you KNOW jokers will try to make some ‘art’ available that messes with people.
And while you might avoid avoid dodgy sites if you trust this one you are open to stuff you would normally avoid.
I wonder if Google and the like will start flagging this site as risky.
Although the examples there are pretty unimpressive anyway… Never has drawing a few circles so bogged down a computer.
Alex from 4QR here.
A few comments given the other comments…
Any html / JS / etc… that a browser can display can technically be encoded into the URL, but anything a browser would block would be blocked here as well.
Nothing “runs” on the server (it’s on static hosting).
I’ve tested URL lengths up to 9999 chars long as working in chrome.
goo.gl, bit.ly ,tinyurl, etc… work with these URLs, effectively “hosting” the generated page on the link shortener. Even twitter will shorten the URL if put in a tweet.
There are some more examples at https://4QR.xyz/gallery
I’ve made a little subreddit for sharing links https://www.reddit.com/r/4QRxyz/
I’ll try to answer any questions here (and add them to the site Q&A if good).
Forget worrying about an XSS attack, this is a direct script injection! It’s very cool and exceptionally dangerous. ;)
I run ScriptBlock, not even URLs get past it.
Yep my protection won’t allow it either by default, but didn’t firefox also disable such things at some point? Even without addons.
For now, maybe Firefox + NoScript Plug-In? I know, NoScript is far from perfect (at-least ban the default White List in NoScript). I rarely allow scripting on any sites my browser visits. Hint HaD: The day you saddle us with layers of mandatory scripting on your site – we’re GONE!
Please be kind and respectful to help make the comments section excellent. (Comment Policy)