search

LavaMoat / snow

Use Snow to finally secure your web app's same origin realms!
https://lavamoat.github.io/snow/demo/
MIT License
105 stars 9 forks source link

Snow can be bypassed with a TrustedHTML node #16

Closed weizman closed 2 years ago

weizman commented 2 years ago

reproduce by running

{
const escapeHTMLPolicy = trustedTypes.createPolicy("myEscapePolicy", {
  createHTML: (string) => string.replace('', '')
});

const escaped = escapeHTMLPolicy.createHTML("<iframe onload='this.contentWindow.alert(1)'></iframe>");
document.head.innerHTML=escaped;
}

this can be done because Snow excepts specifically TrustedHTML nodes due to poor judgment of "9 months ago gal"