Bypasses via Blob URIs #43
Comments
window.open(URL.createObjectURL(new Blob(["<script>window.opener.location='about:blank'; setTimeout(()=>{window.opener.alert(window.origin)}, 100);</script>"], {type: "text/html"}))) |
|
This is awesome - great catch! I have to admit I'm fairly confused, when I began this project I remember researching blobs specifically knowing they might cause trouble and for some reason came to the conclusion they are cross origin by definition - I'm surprised to see that is clearly not the case. Here's my fix attempt #45, if you wanna have a look that'd be great, feel free also not to. Regarding your 2nd find, tricks that involve redirecting the top realm are currently out of Snow's scope. That is because AFAIK controlling redirection is impossible with JS and also an attack that involves redirecting the top main realm of the attacked page is rather rare and intrusive, not something you'd probably see. Nevertheless, I can see real potential damage with such a technique, so I'm open to suggestions if anyone has a clever idea on how to defend against that. |
|
It was decided to disable creation of URL object out of Blob/File completely until a clever solution is proposed. |
|
if disallowing creation of URL object out of Blob/File completely the way Snow does in #69 prevents your application from running correctly, please share so in this issue thread so we can discuss the problem and understand how to best deal with it |
|
linking this issue also to #87 where an improvement to this logic was introduced |
The text was updated successfully, but these errors were encountered: