Closed mmndaniel closed 1 year ago
Even worse, this contentWindow
access can be trapped completely
var f = document.createElement('iframe');
Object.defineProperty(f, 'contentWindow', {
get: function() {
window[0].alert(1)
}
});
document.body.appendChild(f);
Which is a problem on one hand, but can't see a way around it atm...
Can't you use the native getter?
var _get =Object.getOwnPropertyDescriptor(HTMLIFrameElement.prototype, 'contentWindow').get
(same with embed, etc), I guess the question if it will make it appear in frames
.
so after some research the chromium bug is different than i thought, but that's good news.
it doesn't require access specifically to contentWindow
, but a broader and more abstract manipulation on the object.
luckily (for a reason i don't understand), running Object.getOwnPropertyDescriptor(frame, 'xxx')
on it works too (which in contrast to the former method, this one cannot be trapped).
This is what I mean here, but actually exploits the chromium bug workaround this time :)