Demo has insecure implementation - Githubissues

LavaMoat / snow

Use Snow to finally secure your web app's same origin realms!

https://lavamoat.github.io/snow/demo/

MIT License

102 stars 9 forks source link

Demo has insecure implementation #78

Closed NDevTK closed 1 year ago

NDevTK commented 1 year ago

Using the code <script src="./snow.js"></script> and later having <i style="font-size: 24px">~ Can you pop an <a href="javascript:alert(123)">alert</a> in this page?</i> is not safe because the script load may fail.

Client is being DoSed by external attacker or a different websites JavaScript.
Sever is being DoSed or is being malicious when the client uses Subresource Integrity.

More information can be found at https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/#skipping-dependencies I think the solution would be to use an event or variable to know when the sandbox is enforced.

weizman commented 1 year ago

Interesting. Although this is just a demo, this doesn't worry me in the context of this project.