search

LavaMoat / snow

Use Snow to finally secure your web app's same origin realms!
https://lavamoat.github.io/snow/demo/
MIT License
103 stars 9 forks source link

documentPictureInPicture bypasses snow #77

Closed NDevTK closed 1 year ago

NDevTK commented 1 year ago

A new feature exists in chromium under an origin trial https://chromestatus.com/feature/5755179560337408 Probably should be treated like a popup.

onclick = async () => {
    w = await documentPictureInPicture.requestWindow();
    w.alert.call(window, 'hello world');
    w.close();
}
weizman commented 1 year ago

Thanks for the heads up! Will look in to that soon 🙏

NDevTK commented 1 year ago

At the moment easiest way to test it is with chrome://flags/#document-picture-in-picture-api

weizman commented 1 year ago

Here's a draft. harder than i thought. still need to write the tests. #79

weizman commented 1 year ago

Added tests. was also harder because this feature requires "real" user interaction in order to work, so had to fake one via wdio.

weizman commented 1 year ago

merged fix #79

weizman commented 1 year ago

Lol now i see the connection. Awesome job man!! https://twitter.com/bugschromium/status/1681366231293603840?s=46&t=3av-wxCFEbML6grYvIm18A @NDevTK