Comments (3)
Haha =) I'm glad that you already played with that. I believe that the frameset
element is not only old, but deprecated, discouraged and disliked! I don't know why it's not rendering in templates but I remember I had problems in the past rendering them after the body
element. Either way, I will come back in a few weeks once the online version is patched and play again with it! It's an immense challenge that you are trying to achieve, and it's fun to play with it :)
Either way, congrats and thank you for trying to make the web safer! =)
from snow.
By the way, @weizman, I've just realized I'm too old, that's why I recalled frameSet, but no worries, nobody that was born after 2000's will know it, so no hurries =) :P
from snow.
Hi again @magicmac!
In my defense, I was well aware of frameset
in this project already as can be seen here.
This vulnerability is actually more specific than you think, and quite strange actually!
When injecting srcdoc
html, I hook into that and make sure to protect it. I do so, by loading the html of the srcdoc
into a fake element, and then apply Snow protections to any "realmable" elements. I use the standard template
element to accomplish the task.
HOWEVER, it turns out rendering the <frameset>
element within a template element is impossible for some reason! Maybe because it's so old? 😅
If you try to load <frameset><frame src="javascript:alert.call(top, 1 )"></frameset>
into a template element, you end up with zero children!
To fix that, I transitioned into using a regular DOM element instead of the template one, which identifies the frameset
element at parsing correctly.
That was enough to patch this super specific and cool vulnerability #75
Thanks again @magicmac!
from snow.
Related Issues (20)
- Snow 2's CSP breaks Snow's inline scripts HOT 2
- Bypass via nested same-origin iframe HOT 4
- [WIP] How can we steer away from relying on CSP for security?
- Snow can be bypassed with iframes and srcdoc HOT 1
- Snow can be bypassed with Document.prototype.open HOT 2
- URL is hooked but webkitURL is not HOT 1
- Snow can be bypassed with inline script HOT 4
- Snow can by bypassed with race condition HOT 1
- Blob validation in Snow can be bypassed with native object copy HOT 2
- Snow can be bypassed with opener.alert() HOT 1
- customElements extends check can be bypassed using a non-string HOT 3
- Snow can by bypassed with Prototype Pollution HOT 1
- Snow can be bypassed with declarative shadow DOM passed as object instead of string HOT 1
- Snow can by bypassed with polluting NodeList.prototype.length HOT 2
- Snow can be bypassed with native Prototype Pollution HOT 1
- Snow can be bypassed with meta and the HTML sanitizer HOT 1
- Snow can be bypassed with nested cross-origin frames HOT 2
- Snow can be bypassed with forms and buttons formAction HOT 1
- Snow can be bypassed with location.replace HOT 3
- report from twitter HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from snow.