Closed Gozala closed 5 years ago
beforeunload
event handler to prevent navigating away. It isn't ideal because I don't think we can tell if app is navigating to a diff origin or staying on the same one.From what I can tell second iframe
loophole is actually prevented with CSPs
🎉 however navigation away isn't :(
There is also some relevant comment
I don't know of any way to fully prevent exfiltration. people /try/ to do it with CSP but that's not part of the current CSP threat model and there are gaps. Navigation is the most obvious glaring hole. A future version of CSP adds "navigate-to" to limit navigations so that would help, but there's still no guarantee to prevent exfiltration
I'll post updates when I figure out what other exfiltration holes are available.
Found relevant spec https://w3c.github.io/webappsec-csp/#directive-navigate-to
Most side-loading is prevented via CSPs
. Given that navigate-to
is not implemented by browsers yet redirects had being prevented by setting iframe.src
from the lunet on beforeunload
event that way navigation to other sites is prevented.
I think there is an opportunity for app to smuggle data by navigating to some controlled URL like
smuggler.io?data=....&redirect=...
that would capture passed data and then redirect back to the app to stay unnoticed. We need a way to find a way to prevent such behavior.Another maybe even more effective way to smuggle data might be to load
<iframe src='//smuggler.io/' />
and keep passing data throughpostMessage
.Need to verify if combination of CSPs and SW can prevent this behavior of if there are some other mechanism to do so.