-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Forbid srcdoc frames with inner CSP meta tag #104
Conversation
Ah, I hope it's not too dangerous (i.e. significantly increases protected app breakage risk). Anyways, it needs to more work to be secure, because |
Not really because the prototype chain is coming from the realm i used for creating natives in the beginning of execution which is the realm of an iframe that was immediately removed from dom forever, so polluting it is between extremely difficult and probably impossible. |
And yes, before merging i will make sure major websites don't suffer from this, but I highly doubt it. |
Check these out:
|
You're so right, this is one detail I missed with safe natives handling, I used a native |
Checked against major websites, seems to work perfectly fine, merging |
should address #94, #90 and probably some other future crap too.
CSP can prevent Snow from running in new documents, which specifically srcdoc iframes can leverage.
This PR removes the ability to create srcdoc frames with meta CSP tags by assuming that this technique has no real world usage other than malicious.