Bypasses via Blob URIs about snow HOT 6 CLOSED

window.open(URL.createObjectURL(new Blob(["<script>window.opener.location='about:blank'; setTimeout(()=>{window.opener.alert(window.origin)}, 100);</script>"], {type: "text/html"})))

from snow.

This is awesome - great catch!

I have to admit I'm fairly confused, when I began this project I remember researching blobs specifically knowing they might cause trouble and for some reason came to the conclusion they are cross origin by definition - I'm surprised to see that is clearly not the case.

Here's my fix attempt #45, if you wanna have a look that'd be great, feel free also not to.

Regarding your 2nd find, tricks that involve redirecting the top realm are currently out of Snow's scope. That is because AFAIK controlling redirection is impossible with JS and also an attack that involves redirecting the top main realm of the attacked page is rather rare and intrusive, not something you'd probably see.

Nevertheless, I can see real potential damage with such a technique, so I'm open to suggestions if anyone has a clever idea on how to defend against that.

from snow.

As pointed out by @arxenix, the #45 solution attempt is far from being complete.
Will have to revisit this, hopefully will have a solution to this issue soon (am very much open to suggestions!)

from snow.

It was decided to disable creation of URL object out of Blob/File completely until a clever solution is proposed.
Visit #69 (comment) for full course of events

from snow.

if disallowing creation of URL object out of Blob/File completely the way Snow does in #69 prevents your application from running correctly, please share so in this issue thread so we can discuss the problem and understand how to best deal with it

from snow.

linking this issue also to #87 where an improvement to this logic was introduced

from snow.