Comments (6)
window.open(URL.createObjectURL(new Blob(["<script>window.opener.location='about:blank'; setTimeout(()=>{window.opener.alert(window.origin)}, 100);</script>"], {type: "text/html"})))
from snow.
This is awesome - great catch!
I have to admit I'm fairly confused, when I began this project I remember researching blobs specifically knowing they might cause trouble and for some reason came to the conclusion they are cross origin by definition - I'm surprised to see that is clearly not the case.
Here's my fix attempt #45, if you wanna have a look that'd be great, feel free also not to.
Regarding your 2nd find, tricks that involve redirecting the top realm are currently out of Snow's scope. That is because AFAIK controlling redirection is impossible with JS and also an attack that involves redirecting the top main realm of the attacked page is rather rare and intrusive, not something you'd probably see.
Nevertheless, I can see real potential damage with such a technique, so I'm open to suggestions if anyone has a clever idea on how to defend against that.
from snow.
As pointed out by @arxenix, the #45 solution attempt is far from being complete.
Will have to revisit this, hopefully will have a solution to this issue soon (am very much open to suggestions!)
from snow.
It was decided to disable creation of URL object out of Blob/File completely until a clever solution is proposed.
Visit #69 (comment) for full course of events
from snow.
if disallowing creation of URL object out of Blob/File completely the way Snow does in #69 prevents your application from running correctly, please share so in this issue thread so we can discuss the problem and understand how to best deal with it
from snow.
linking this issue also to #87 where an improvement to this logic was introduced
from snow.
Related Issues (20)
- Can you bypass Snow 2? 🎉 HOT 3
- Snow 2's CSP breaks Snow's inline scripts HOT 2
- Bypass via nested same-origin iframe HOT 4
- [WIP] How can we steer away from relying on CSP for security?
- Snow can be bypassed with iframes and srcdoc HOT 1
- Snow can be bypassed with Document.prototype.open HOT 2
- URL is hooked but webkitURL is not HOT 1
- Snow can be bypassed with inline script HOT 4
- Snow can by bypassed with race condition HOT 1
- Blob validation in Snow can be bypassed with native object copy HOT 2
- Snow can be bypassed with opener.alert() HOT 1
- customElements extends check can be bypassed using a non-string HOT 3
- Snow can by bypassed with Prototype Pollution HOT 1
- Snow can be bypassed with declarative shadow DOM passed as object instead of string HOT 1
- Snow can by bypassed with polluting NodeList.prototype.length HOT 2
- Snow can be bypassed with native Prototype Pollution HOT 1
- Snow can be bypassed with meta and the HTML sanitizer HOT 1
- Snow can be bypassed with nested cross-origin frames HOT 2
- Snow can be bypassed with forms and buttons formAction HOT 1
- Snow can be bypassed with location.replace HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from snow.