Snow can be bypassed with window.parent.alert(...)

LavaMoat / snow

Use Snow to finally secure your web app's same origin realms!

https://lavamoat.github.io/snow/demo/

MIT License

102 stars 9 forks source link

Snow can be bypassed with window.parent.alert(...) #67

Closed rwaldron closed 1 year ago

rwaldron commented 1 year ago

Reproduce by running:

window.parent.alert(1);

In https://lavamoat.github.io/snow/demo/

weizman commented 1 year ago

Can't seem to reproduce this successfully. Here are the steps I've taken:

visit https://lavamoat.github.io/snow/demo/
open console
paste payload above
press enter

Result: Snow successfully captures the alert attempt and logs it to console instead. Would you mind helping me understand what I'm missing? A video or any other creative idea will be highly appreciated.

rwaldron commented 1 year ago

Yep, same environment issue I described in https://github.com/LavaMoat/snow/issues/68