Closed Gozala closed 5 years ago
Gozala
commented
5 years ago beforeunload event handler to prevent navigating away. It isn't ideal because I don't think we can tell if app is navigating to a diff origin or staying on the same one.Gozala
commented
5 years ago From what I can tell second iframe loophole is actually prevented with CSPs 🎉 however navigation away isn't :(
There is also some relevant comment
I don't know of any way to fully prevent exfiltration. people /try/ to do it with CSP but that's not part of the current CSP threat model and there are gaps. Navigation is the most obvious glaring hole. A future version of CSP adds "navigate-to" to limit navigations so that would help, but there's still no guarantee to prevent exfiltration
I'll post updates when I figure out what other exfiltration holes are available.
Gozala
commented
5 years ago Found relevant spec https://w3c.github.io/webappsec-csp/#directive-navigate-to
Gozala
commented
5 years ago Most side-loading is prevented via CSPs. Given that navigate-to is not implemented by browsers yet redirects had being prevented by setting iframe.src from the lunet on beforeunload event that way navigation to other sites is prevented.
I think there is an opportunity for app to smuggle data by navigating to some controlled URL like
smuggler.io?data=....&redirect=...that would capture passed data and then redirect back to the app to stay unnoticed. We need a way to find a way to prevent such behavior.Another maybe even more effective way to smuggle data might be to load
<iframe src='//smuggler.io/' />and keep passing data throughpostMessage.Need to verify if combination of CSPs and SW can prevent this behavior of if there are some other mechanism to do so.