Snow can be bypassed with frameSet about snow HOT 3 CLOSED

Haha =) I'm glad that you already played with that. I believe that the frameset element is not only old, but deprecated, discouraged and disliked! I don't know why it's not rendering in templates but I remember I had problems in the past rendering them after the body element. Either way, I will come back in a few weeks once the online version is patched and play again with it! It's an immense challenge that you are trying to achieve, and it's fun to play with it :)

Either way, congrats and thank you for trying to make the web safer! =)

from snow.

By the way, @weizman, I've just realized I'm too old, that's why I recalled frameSet, but no worries, nobody that was born after 2000's will know it, so no hurries =) :P

from snow.

Hi again @magicmac!

In my defense, I was well aware of frameset in this project already as can be seen here.

This vulnerability is actually more specific than you think, and quite strange actually!

When injecting srcdoc html, I hook into that and make sure to protect it. I do so, by loading the html of the srcdoc into a fake element, and then apply Snow protections to any "realmable" elements. I use the standard template element to accomplish the task.

HOWEVER, it turns out rendering the <frameset> element within a template element is impossible for some reason! Maybe because it's so old? 😅

If you try to load <frameset><frame src="javascript:alert.call(top, 1 )"></frameset> into a template element, you end up with zero children!

To fix that, I transitioned into using a regular DOM element instead of the template one, which identifies the frameset element at parsing correctly.

That was enough to patch this super specific and cool vulnerability #75

Thanks again @magicmac!

from snow.