Figure out how or whether should Snow deal with wrapping of html string iframe onload attributes

LavaMoat / snow

Use Snow to finally secure your web app's same origin realms!

https://lavamoat.github.io/snow/demo/

MIT License

105 stars 9 forks source link

Figure out how or whether should Snow deal with wrapping of html string iframe onload attributes #32

Closed weizman closed 1 year ago

weizman commented 2 years ago

Theoretically Snow can be bypassed by running:

top.msg = 'this window is not protected by snow!';
document.head.innerHTML = '<iframe onload="this.contentWindow.alert.call(top, top.msg)"></iframe>';

In order to deal with this issue, Snow removes onload attributes from iframes that are constructed via strings.

It does so because this doesn't seem to be a technique that is used under legitimate scenarios, but can be leveraged by attackers to bypass Snow.

weizman commented 2 years ago

if disallowing usage of html string iframe onload attributes prevents your application from running correctly, please share so in this issue thread so we can discuss the problem and understand how to best deal with it