Refuse to load LavaDome within non-top documents

LavaMoat / LavaDome

Secure DOM trees isolation and encapsulation leveraging ShadowDOM

https://lavamoat.github.io/LavaDome/packages/core/demo/

MIT License

16 stars 3 forks source link

Refuse to load LavaDome within non-top documents #45

Closed weizman closed 3 days ago

weizman commented 2 weeks ago

Make sure the LavaDome code refuses to load in non-top documents from the start, to not allow attackers to reload the entire page within an iframe they control its environment. e.g:

const ifr = document.body.appendChild(document.createElement('iframe'));
const payload = `// hook into a primitive LavaDome counts on to steal its secret`;
ifr.contentWindow.eval(payload);
const html = await (await fetch('/')).text();
ifr.contentDocument.write(html);

weizman commented 3 days ago

I'm on the fence with this one. I can think of legit use cases (XO iframe where LavaDome is integrated), and then if I want to support non-top docs conditionally it's practically impossible to do so safely, because passing a bool arg indicating whether to run or not can also be tampered by the attacker..

Closing for now, also because I'm not sure there's an actual attack surface here to begin with.