left pad names to hide size-based info leakage

kbrose · Dec 2, 2023 · 4ddfed8 · 4ddfed8
1 parent ad419b4
commit 4ddfed8
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 4 deletions.
diff --git a/main.js b/main.js
@@ -20,15 +20,19 @@ function submitNames() {
 
   var linkStub = window.location.origin + window.location.pathname + "who.html#";
 
+  var maxLen = Math.max(...names.map((n) => n.length));
+
   links.innerHTML = names.map(
     (gifter, i) => {
-      var link = composeLink(linkStub, gifter, newNames[i]);
+      var link = composeLink(linkStub, gifter, newNames[i], maxLen);
       return "<li>" + gifter + ": <a href=\"" + link + "\">" + link + "</a></li>"
     }
   ).join("\n");
 }
 
-function composeLink(stub, gifter, giftee) {
+function composeLink(stub, gifter, giftee, maxLen) {
+  gifter = gifter.padStart(maxLen);
+  giftee = giftee.padStart(maxLen);
   return stub + bytesToBase64(new TextEncoder().encode(gifter + "," + giftee))
 }
 

diff --git a/style.css b/style.css
@@ -1,6 +1,6 @@
 body {
     margin: 40px auto;
-    max-width: 650px;
+    max-width: 800px;
     line-height: 1.6;
     font-size: 20px;
     color: #444;
@@ -13,7 +13,7 @@ input {
 }
 
 input[type="text"] {
-    width: 600px;
+    width: 800px;
     height: 1.6;
 }
 

diff --git a/who.js b/who.js
@@ -7,6 +7,8 @@ function main() {
   var gifter
   var giftee
   [gifter, giftee] = new TextDecoder().decode(base64ToBytes(document.location.hash.split("#")[1])).split(",")
+  gifter = gifter.replace(/^\s+/g, '');
+  giftee = giftee.replace(/^\s+/g, '');
   document.getElementById("who").innerHTML = "Hello, " + gifter + "! You are buying a gift for " + giftee + ".";
 }