Across ↔️

Across standard allows different scripts within the same web application to communicate with each other by passing messages between one another securely

📖 Technical explanation
⚙️ Installation and usage
👩🏽‍💻 Source Code
💪🏻 Motivation behind this project

Demo 🧐

~ Can you bypass Across?

  • In this website there are two scripts that use Across to securely communicate with each other
  • Script sender sends a message to script receiver, and script receiver alerts that message ONLY if it really was sent by script sender
  • Try to do anything in your power to successfully send a message to receiver and make it believe that your message was really sent by script sender
  • To do so, you'd have to upload a script somewhere and paste its URL in the bottom line (Across only respects scripts that are loaded externally before DOM finished loading)
  • For demonstration purposes, by default sender-fake is loaded and is also trying to send a message to receiver, but the latter successfully rejects it for not really being sender
  • Click the button to execute your code (⌘ + ↵ / ^ + ↵ will work too)
  • If you succeed - Congratz! You bypassed Across (please, open an issue, we'd love to improve its security)

  • Funded by Consensys 💙
    Maintained and developed by MetaMask 🦊
    Invented and developed by Gal Weizman 👋🏻
    Runs on Snow ❄️