Snow can be bypassed with a data url iframe performing the alert

LavaMoat / snow

Use Snow to finally secure your web app's same origin realms!

https://lavamoat.github.io/snow/demo/

MIT License

105 stars 9 forks source link

Snow can be bypassed with a data url iframe performing the alert #7

Closed benjamingr closed 2 years ago

benjamingr commented 2 years ago

/*
attempts to bypass Snow after running:

SNOW((win) => {
    win.alert = (msg) => {
        console.log('Snow: ', 'alert API is disabled, message is printed to console instead: ', msg);
    }
});
*/
{ 

const fr = document.createElement('iframe');
fr.src = "data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGknKTwvc2NyaXB0Pg=="
document.body.appendChild(fr);

}

naugtur commented 2 years ago

Denying data: src seems like a decent policy to have (it might break some of the generative file download libs)

weizman commented 2 years ago

Cross origin realms are by definition out of Snow's scope. Snow aspires to protect only against same origin realms, as they are the only ones that it can run code within. It comes to allow the defender to defend its realm against attackers - cross origin realms can't access the defender's realm in the first place.

weizman commented 2 years ago

added a comment to the demo so this will be clear @benjamingr

https://github.com/LavaMoat/snow/commit/2391bf7ca85c13c86a4942d6a6d8751b6a88d324