Closed mmndaniel closed 11 months ago
var d = document.createElement('div'); document.body.appendChild(d); d.innerHTML = `<iframe srcdoc="<iframe></iframe>"</iframe>`; frames[0][0].alert(1);
See console: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' blob:". .. etc. The CSP doesn't have a nonce/hash, so the inline scripts created by https://github.com/LavaMoat/snow/blob/77d1378e86d08aec531c6d20d0d0ab8f2c04e7b1/src/html.js#L9 and https://github.com/LavaMoat/snow/blob/77d1378e86d08aec531c6d20d0d0ab8f2c04e7b1/src/html.js#L14 won't execute.
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' blob:".
Yea that's my bad... fair point. I'll get to it 🙏
Snow 2 was a mistake #133
See console:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' blob:".
.. etc. The CSP doesn't have a nonce/hash, so the inline scripts created by https://github.com/LavaMoat/snow/blob/77d1378e86d08aec531c6d20d0d0ab8f2c04e7b1/src/html.js#L9 and https://github.com/LavaMoat/snow/blob/77d1378e86d08aec531c6d20d0d0ab8f2c04e7b1/src/html.js#L14 won't execute.