Snow can be bypassed with postMessage from iframe by accessing event.source and event.currentTarget

LavaMoat / snow

Use Snow to finally secure your web app's same origin realms!

https://lavamoat.github.io/snow/demo/

MIT License

102 stars 9 forks source link

Snow can be bypassed with postMessage from iframe by accessing event.source and event.currentTarget #68

Closed rwaldron closed 1 year ago

rwaldron commented 1 year ago

Reproduce by running

const handler = (event) => {
  event.currentTarget.alert(1)
  event.source.alert(1);
  window.removeEventListener('message', handler);
};

window.addEventListener('message', handler);

const iframe = document.createElement('iframe');

document.body.append(iframe);

const script = iframe.contentDocument.createElement('script');
script.textContent = `
  window.parent.postMessage(0, '*');
`;

iframe.contentDocument.body.append(script);

In https://lavamoat.github.io/snow/demo/

weizman commented 1 year ago

Can't seem to reproduce this successfully. Here are the steps I've taken:

visit https://lavamoat.github.io/snow/demo/
open console
paste payload above
press enter

Result: Snow successfully captures the alert attempt and logs it to console instead. Would you mind helping me understand what I'm missing? A video or any other creative idea will be highly appreciated.

rwaldron commented 1 year ago

I just realized that I hadn't refreshed the demo page, so my previous changes were still active in the global object. lol, realms are hard 🤦

weizman commented 1 year ago

lol, yea tell me about it. I feel like I'm closer to madness than adoption with this project tbh.