Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Old Snow tests show Snow vulnerability on Firefox #59

Closed
weizman opened this issue Jan 8, 2023 · 3 comments
Closed

Old Snow tests show Snow vulnerability on Firefox #59

weizman opened this issue Jan 8, 2023 · 3 comments
Labels
bug Something isn't working vulnerability Introduces snow bypass

Comments

@weizman
Copy link
Member

weizman commented Jan 8, 2023

Lines 50 and 74 are old tests that do crazy stuff to bypass Snow using embed and object.

Now with #53, These tests show that on Firefox Snow fails to protect realms when those techniques are being used.
This is an active vulnerability in Snow-Firefox that needs to be addressed
@weizman
Copy link
Member Author

weizman commented Jan 8, 2023

Does this leave me extra vulnerable?

Not at all, this simply means Snow can be bypassed which is similar to not having Snow running in the first place, so you're not left more vulnerable than before, but just as much.

@weizman
Copy link
Member Author

weizman commented Feb 17, 2023

From f2258c7 these 2 tests are skipped, but still need to be solved!

@weizman weizman added bug Something isn't working vulnerability Introduces snow bypass labels Jun 22, 2023
@weizman
Copy link
Member Author

weizman commented Jul 17, 2023

objects and embed are now forbidden by CSP thanks to #118

@weizman weizman closed this as completed Jul 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working vulnerability Introduces snow bypass
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@weizman