Comments (4)
Fix seems to be block cross-origin contentWindow only allowing what is known to be safe.
It should not be expected that all pages on an origin will contain embed protection or the SNOW script.
For example an image, https://www.google.com/favicon.ico (Does this mean Google has a security issue?... no)
from snow.
In a world where:
- JS runtime protections tools are popular;
- Google uses such a tool (call it X);
- Naturally, X is vulnerable to the same origin problem Snow protects against;
Then the answer to the question "Does this mean Google has a security issue?" is in fact YES.
And the context of this project is around assuming a potential user of Snow wants to protect themselves against this class of issues, so again, this is a security issue.
To be clear, in the world I describe, Google are expected to serve google.com/favicon.ico with an X-Frame-Options: SAMEORIGIN
or 'Content-Security-Policy': 'frame-ancestors "none";'
because there isn't a legitimate reason to frame a non-framable resource - only malicious reasons.
In MetaMask, currently being the main adopter of Snow, we take these issues seriously, which is why you can't frame anything under the MetaMask origin, including favicon.ico
s.
That being said, this isn't ideal. I would obviously prefer a better solution that requires less responsibility from the adopter. This is why we wish to end up in a place where we convince browsers to help out with some builtin solutions.
But for now, I agree encouraging the adopter to set a Content-Security-Policy': 'frame-ancestors "trusted.com";
when integrating Snow is a good thing to do. To me that is a fair action-item.
from snow.
Yeah for the browser extension I see you got "content_security_policy": "frame-ancestors 'none'; script-src 'self'; object-src 'self'"
This is better then using WAR which I think is only initiator based.
Regarding the https://metamask.io
origin:
f=document.createElement('iframe');
f.src='https://metamask.io/favicon-32x32.png';
document.body.appendChild(f);
Does work :)
I agree with encouraging the adopter to set a Content-Security-Policy': 'frame-ancestors "trusted.com";
in all cases.
It looks bad when your demo can be escaped.
from snow.
To be clear, in the world I describe, Google are expected to serve google.com/favicon.ico with an X-Frame-Options: SAMEORIGIN or 'Content-Security-Policy': 'frame-ancestors "none";' because there isn't a legitimate reason to frame a non-framable resource - only malicious reasons.
This is an unrealistic assumption. There will be always plenty of endpoints with either missing the headers or the ones that are purposefully frameable. Even with that assumption, the below bypass works fine with both X-Frame-Options: SAMEORIGIN
and Content-Security-Policy: frame-ancestors 'none'
set at the same time.
f=document.createElement('iframe');
f.hidden = true;
f.src='https://terjanq.me/xss.php?html=<iframe>';
f.onload = () => {
f.contentWindow[0].location='about:blank';
setTimeout(()=>{
f.contentWindow[0].alert(origin);
}, 500);
}
document.body.appendChild(f);
from snow.
Related Issues (20)
- [WIP] How can we steer away from relying on CSP for security?
- Snow can be bypassed with iframes and srcdoc HOT 1
- Snow can be bypassed with Document.prototype.open HOT 2
- URL is hooked but webkitURL is not HOT 1
- Snow can be bypassed with inline script HOT 4
- Snow can by bypassed with race condition HOT 1
- Blob validation in Snow can be bypassed with native object copy HOT 2
- Snow can be bypassed with opener.alert() HOT 1
- customElements extends check can be bypassed using a non-string HOT 3
- Snow can by bypassed with Prototype Pollution HOT 1
- Snow can be bypassed with declarative shadow DOM passed as object instead of string HOT 1
- Snow can by bypassed with polluting NodeList.prototype.length HOT 2
- Snow can be bypassed with native Prototype Pollution HOT 1
- Snow can be bypassed with meta and the HTML sanitizer HOT 1
- Snow can be bypassed with nested cross-origin frames HOT 2
- Snow can be bypassed with forms and buttons formAction HOT 1
- Snow can be bypassed with location.replace HOT 3
- report from twitter HOT 1
- Snow can be bypassed by creating a Blob URI inside a worker HOT 7
- Snow can be bypassed using the Response.prototype.blob function HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from snow.