Forbid srcdoc frames with inner CSP meta tag

[weizman]

should address #94, #90 and probably some other future crap too.

CSP can prevent Snow from running in new documents, which specifically srcdoc iframes can leverage.

This PR removes the ability to create srcdoc frames with meta CSP tags by assuming that this technique has no real world usage other than malicious.

[mmndaniel]

Ah, I hope it's not too dangerous (i.e. significantly increases protected app breakage risk). Anyways, it needs to more work to be secure, because findMetaCSP relays on prototype chain, so:
Object.defineProperty(Element.prototype, 'attributes', { value: [] });
or
Object.defineProperty(Attr.prototype, 'value', { value: '' });
Makes the bypass work again.

[weizman]

Not really because the prototype chain is coming from the realm i used for creating natives in the beginning of execution which is the realm of an iframe that was immediately removed from dom forever, so polluting it is between extremely difficult and probably impossible.
You may try to produce a poc if you believe I'm wrong.

[weizman]

And yes, before merging i will make sure major websites don't suffer from this, but I highly doubt it.
Do you see any other issues with this approach?

[mmndaniel]

Check these out:

Object.defineProperty(Element.prototype, 'attributes', { value: [] });
var d = document.createElement('div');
                testdiv.appendChild(d);
                d.innerHTML = `
    <iframe
        srcdoc="
        <meta http-equiv='Content-SecuriTy-Policy' content=&quot;script-src 'nonce-pwnd' ;&quot;>
            <iframe src=&quot;javascript:haha&quot;>
            </iframe>
        <script nonce=&quot;pwnd&quot;>frames[0].alert(1);</script>">
    </iframe>`

Object.defineProperty(Attr.prototype, 'value', { value: '' });
var d = document.createElement('div');
                testdiv.appendChild(d);
                d.innerHTML = `
    <iframe
        srcdoc="
        <meta http-equiv='Content-SecuriTy-Policy' content=&quot;script-src 'nonce-pwnd' ;&quot;>
            <iframe src=&quot;javascript:haha&quot;>
            </iframe>
        <script nonce=&quot;pwnd&quot;>frames[0].alert(1);</script>">
    </iframe>`

[weizman]

You're so right, this is one detail I missed with safe natives handling, I used a native createElement function but called it on the main vulnerable document, meaning nodes created that way were in fact vulnerable to prototype pollution.
fixed f0aed38

[weizman]

Checked against major websites, seems to work perfectly fine, merging