search

LavaMoat / snow

Use Snow to finally secure your web app's same origin realms!
https://lavamoat.github.io/snow/demo/
MIT License
100 stars 9 forks source link

Snow 2's CSP breaks Snow's inline scripts #132

Closed mmndaniel closed 11 months ago

mmndaniel commented 1 year ago 
var d = document.createElement('div');
document.body.appendChild(d);
d.innerHTML =  `<iframe
    srcdoc="<iframe></iframe>"</iframe>`;
frames[0][0].alert(1);

See console: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' blob:". .. etc. The CSP doesn't have a nonce/hash, so the inline scripts created by https://github.com/LavaMoat/snow/blob/77d1378e86d08aec531c6d20d0d0ab8f2c04e7b1/src/html.js#L9 and https://github.com/LavaMoat/snow/blob/77d1378e86d08aec531c6d20d0d0ab8f2c04e7b1/src/html.js#L14 won't execute.

weizman commented 1 year ago

Yea that's my bad... fair point. I'll get to it 🙏

weizman commented 11 months ago

Snow 2 was a mistake #133