Closed magicmac closed 1 year ago
By the way, @weizman, I've just realized I'm too old, that's why I recalled frameSet, but no worries, nobody that was born after 2000's will know it, so no hurries =) :P
Hi again @magicmac!
In my defense, I was well aware of frameset
in this project already as can be seen here.
This vulnerability is actually more specific than you think, and quite strange actually!
When injecting srcdoc
html, I hook into that and make sure to protect it. I do so, by loading the html of the srcdoc
into a fake element, and then apply Snow protections to any "realmable" elements. I use the standard template
element to accomplish the task.
HOWEVER, it turns out rendering the <frameset>
element within a template element is impossible for some reason! Maybe because it's so old? 😅
If you try to load <frameset><frame src="javascript:alert.call(top, 1 )"></frameset>
into a template element, you end up with zero children!
To fix that, I transitioned into using a regular DOM element instead of the template one, which identifies the frameset
element at parsing correctly.
That was enough to patch this super specific and cool vulnerability #75
Thanks again @magicmac!
Haha =) I'm glad that you already played with that. I believe that the frameset
element is not only old, but deprecated, discouraged and disliked! I don't know why it's not rendering in templates but I remember I had problems in the past rendering them after the body
element. Either way, I will come back in a few weeks once the online version is patched and play again with it! It's an immense challenge that you are trying to achieve, and it's fun to play with it :)
Either way, congrats and thank you for trying to make the web safer! =)
It seems that I'm inspired :) Here's another one using a frameset. Top access directly.
Happy patching!