weizman
commented
2 months ago Not part of the threat model.
This is something LavaDome (and generally, the Web) can't protect against with its current characteristics unfortunately.
It's one thing to protect the main realm of the application against attacks, but attempting to defend child same origin realms (aka window/popup/iframe/etc) is a challenge yet to be solved.
In fact, Under the LavaMoat organization there's SnowJS which is a security tool designed for that purpose exactly - it takes your JavaScript code and runs it for you automatically to all child same origin realms under the top main realm of your app.
Problem with Snow is that because of how complex Web and DOM APIs are, accomplishing such a mission in JavaScript user land seems to be too difficult (hence the many opened issues against the Snow repo indicating open vulnerabilities).
Because of that, we proposed a browser level solution for this problem in the WICG (see #144).
But until then, there isn't a way to secure all realms from this.
For LavaDome that's fine, because according to the use case, you'd have to trick the victim into interacting with the wrong window for this to work. That's harder to tell via this demo because in the demo the secret is being displayed without any user interaction, but with real use cases, such secret should only be written to DOM after explaining to the user they have to be cautious before the app displays it, and for that the user must acknowledge the realm by interacting with it.
I do agree that if you managed to trick the user into interacting with the wrong realm you can effectively cancel any runtime security tool. But due to it being an unlikely attack vector as well as something web can't protect against atm, this tentatively remains out of scope.
Hope this makes sense!
I'm not sure if LavaDome is intended to provide protection for this kind of bypass but even if developers follow "Defensive coding" mentioned in the README, it can be bypassed using another window.