Bypass using object with no contentWindow - Githubissues

LavaMoat / snow

Use Snow to finally secure your web app's same origin realms!

https://lavamoat.github.io/snow/demo/

MIT License

102 stars 9 forks source link

Bypass using object with no contentWindow #96

Closed mmndaniel closed 1 year ago

mmndaniel commented 1 year ago

var obj = document.createElement('object');
Object.defineProperty(obj, 'contentWindow', { value: null });
document.body.appendChild(obj);
obj.data = '/';
obj.contentDocument.defaultView.alert(1);

Basically workaround chromium_bug_workaround.js :) should be easy to fix using this

mmndaniel commented 1 year ago

turns out it even works without Object.defineProperty(obj, 'contentWindow', { value: null }); (which make sense, there's no contentWindow before the obj.data = '/';)!

weizman commented 1 year ago

yea this doesn't seem to be a chromium_bug_workaround.js problem even, there's just something off with reloading an already attached object to the same origin.. not sure why...

weizman commented 1 year ago

I'd expect the load listener to fire but with object it doesn't for some reason

mmndaniel commented 1 year ago

Seems like this is the same root cause?

var d = document.createElement('div');
document.body.appendChild(d);
d.innerHTML = `<embed id="tst"></embed>`;
setTimeout(()=>{ tst.src='about:blank'; setTimeout(()=>frames[0].alert(1), 100);},100);

weizman commented 1 year ago

does this work for you on https://lavamoat.github.io/snow/demo/? @mmndaniel

weizman commented 1 year ago

researching https://github.com/LavaMoat/snow/issues/96#issue-1758952553 more i learned something sad about objects. They behave different then iframes, changing their data prop resets the window to an about:blank window synchronously. if the prop was reseted to a "legit" url, the listener will fire afterwards, but that doesn't change the fact that this object resets synchronously to an about:blank window every time data prop is being set and its load event does not fire.. can't think of a solution other than hooking into attributes setting which is something i really don't want to get into...

mmndaniel commented 1 year ago

Well, one (risky, non-performant, buggy) hack I can think of is to use mutation events, but that's really not a good idea (they are deprecated for good reasons).

weizman commented 1 year ago

Are they synchronous? Because if not they are no help unfortunately

mmndaniel commented 1 year ago

yes they are, they are really terrible

weizman commented 1 year ago

yea I'm starting to recall these... I'd like to avoid that if possible :(

weizman commented 1 year ago

not scared of objects/embeds anymore thanks to #118