search

LavaMoat / snow

Use Snow to finally secure your web app's same origin realms!
https://lavamoat.github.io/snow/demo/
MIT License
102 stars 9 forks source link

Snow can be bypassed with document.open('', '', '') #64

Closed rwaldron closed 1 year ago

rwaldron commented 1 year ago

Reproduce by running: 

const w = document.open('', '', '')
w.parent.alert.call(window, 'x');

In https://lavamoat.github.io/snow/demo/

rwaldron commented 1 year ago

Ref: https://html.spec.whatwg.org/multipage/dynamic-markup-insertion.html#opening-the-input-stream

weizman commented 1 year ago

Always fun learning weird web stuff - thank you @rwaldron! fixed #65