2 comments

[ 5.1 ms ] story [ 15.1 ms ] thread
I might be missing something, but couldn't you do this already without relying on DNS prefetching by just attempting a CORS request to an arbitrary subdomain (the subdomain being the data you wish to exfiltrate)? I would expect the browser to do an OPTIONS request to the URL, thus resolve the subdomain.
That's right. You can also use `<link rel=preconnect ...>` to start a TCP handshake, which will also cause the browser to resolve the domain. But by doing these, you're making more noise on the network. The CORS request will show up in dev tools, and it is also unclear how it will behave under a strict CSP (it's worth experimenting with though).

Nevertheless, the server portion of this project doesn't care how you make your DNS queries as long as they are happening.