search

LavaMoat / snow

Use Snow to finally secure your web app's same origin realms!
https://lavamoat.github.io/snow/demo/
MIT License
102 stars 9 forks source link

Firefox does not respect addEventListener calls made with EventTarget of a detached realm #61

Closed weizman closed 1 year ago

weizman commented 1 year ago

We extract all of the natives we need to operate Snow from within an iframe that is immediately detached from DOM to prevent attackers from accessing the natives' realm and abusing it.

Apparently in Firefox, if a call to addEventListener is made and that addEventListener originated in a detached realm, Firefox ignores it (even if the function is called on an object of another realm that is correctly attached and live).

Possible solution:

  1. Instead of detaching the assisting iframe, hide it in a ShadowDOM.
  2. make a unique non-changeable copy of specifically addEventListener from the top main realm instead of the detached iframe.
weizman commented 1 year ago

Fixed (hopefully properly) with #62