Clash when snow protected page opens itself - Githubissues

LavaMoat / snow

Use Snow to finally secure your web app's same origin realms!

https://lavamoat.github.io/snow/demo/

MIT License

102 stars 9 forks source link

Clash when snow protected page opens itself #81

Closed weizman closed 1 year ago

weizman commented 1 year ago

<!-- https://wow.com/x.html -->
<script> SNOW(() => {}); </script>
<script> open('https://wow.com/x.html'); </script>

load https://wow.com/x.html.
page runs Snow protection.
page opens new window to https://wow.com/x.html and marks it.
opened page tries to run snow protection and to mark it, but fails because opener has marked it already.
infinite loop.

This is tricky, how do i make the opened understand that it is Snow protected without an attacker being able to leverage that?