Across ↔️

Across standard allows different scripts within the same web application to communicate with each other by passing messages between one another securely

📖 Technical explanation
⚙️ Installation and usage
👩🏽‍💻 Source Code
💪🏻 Motivation behind this project

Demo 🧐

~ Can you bypass Across?

In this website there are two scripts that use Across to securely communicate with each other

Script sender sends a message to script receiver, and script receiver alerts that message ONLY if it really was sent by script sender

Try to do anything in your power to successfully send a message to receiver and make it believe that your message was really sent by script sender

To do so, you'd have to upload a script somewhere and paste its URL in the bottom line (Across only respects scripts that are loaded externally before DOM finished loading)

For demonstration purposes, by default sender-fake is loaded and is also trying to send a message to receiver, but the latter successfully rejects it for not really being sender

Click the button to execute your code (⌘ + ↵ / ^ + ↵ will work too)

If you succeed - Congratz! You bypassed Across (please, open an issue, we'd love to improve its security)

Run (⌘ + ↵ / ^ + ↵)

Funded by Consensys 💙
Maintained and developed by MetaMask 🦊
Invented and developed by Gal Weizman 👋🏻
Runs on Snow ❄️