search

LavaMoat / snow

Use Snow to finally secure your web app's same origin realms!
https://lavamoat.github.io/snow/demo/
MIT License
105 stars 9 forks source link

Custom elements are still vulnerable #56

Closed weizman closed 1 year ago

weizman commented 1 year ago

Snow protection for custom elements that can be extensions for "framable" elements (iframe/frame/object/embed) is not as good as I thought, There are other tricks that can be used there to bypass Snow in a way that is hard to deal with.

Before discovering this, lifecycle callbacks such as the connectedCallback were 2nd in line to Snow, but when applying src to the elements or using other lifecycle callbacks, these callbacks become 1st in line which makes things highly complicated.

Also, when trying to support Firefox #53 both tests from before and after this discovery are vulnerable.

weizman commented 1 year ago

if disallowing extension for "framable" elements (iframe/frame/object/embed) the way Snow does #56 prevents your application from running correctly, please share so in this issue thread so we can discuss the problem and understand how to best deal with it