weizman
commented
2 years ago thinking about a solution a bit more, i think what should be done is adding the hooked window to the list of already hooked windows only in case that window is same origin and can be hooked. so for example:
- cross origin iframe attached to DOM
- Glazier skips it and keeps it out of the already hooked list
- iframe origin changed to same origin while still attached to DOM
- Glazier puts it in the list and hooks it
- iframe origin changed to cross origin while still attached to DOM
- Glazier takes it out of the list
I think this should maintain the hook-only-once logic while leaving no security holes here - research is needed here
fixing a vulnerability that existed in the code, POC bypassing Glazier
v1.0.4can be found at the bottomthe vulnerability results due to the hook-only-once logic, which comes to make sure a window is being hooked by Glazier only once, and if for some reason Glazier processes that window the second time, Glazier is told to skip it from being hooked again (as it was already hooked).
implementing such logic is not trivial since it can easily be exploited by attackers.
originally, having an array of windows that were hooked seemed like a good idea, but the POC below proves otherwise.
maybe we should consider adding to that array of windows some indication regarding the origin, so if Glazier processes the same window but with a different origin, it should not ignore it (just a thought)
for now, hook-only-once logic is removed, however it introduces a new logical and performance issue that makes Glazier rehook windows even when not needed - this can easily cause exceptions and unwanted behaviours depend on the callback provided to Glazier
REPRODUCE:
GLAZE(w=>alert=111)EXPECTED:
alert should fail since now it is 111
ACTUAL:
alert works, Glazier is bypassed