
Show HN: Surreptitiously exfiltrate data from the browser using DNS - eat_veggies
https://github.com/veggiedefender/browsertunnel
======
Nextgrid
I might be missing something, but couldn't you do this already without relying
on DNS prefetching by just attempting a CORS request to an arbitrary subdomain
(the subdomain being the data you wish to exfiltrate)? I would expect the
browser to do an OPTIONS request to the URL, thus resolve the subdomain.

~~~
eat_veggies
That's right. You can also use `<link rel=preconnect ...>` to start a TCP
handshake, which will also cause the browser to resolve the domain. But by
doing these, you're making more noise on the network. The CORS request will
show up in dev tools, and it is also unclear how it will behave under a strict
CSP (it's worth experimenting with though).

Nevertheless, the server portion of this project doesn't care _how_ you make
your DNS queries as long as they are happening.

