Custom elements are still vulnerable #56
Labels
vulnerability
Introduces snow bypass
Comments
|
if disallowing extension for "framable" elements (iframe/frame/object/embed) the way Snow does #56 prevents your application from running correctly, please share so in this issue thread so we can discuss the problem and understand how to best deal with it |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Snow protection for custom elements that can be extensions for "framable" elements (iframe/frame/object/embed) is not as good as I thought, There are other tricks that can be used there to bypass Snow in a way that is hard to deal with.
Before discovering this, lifecycle callbacks such as the
connectedCallbackwere 2nd in line to Snow, but when applyingsrcto the elements or using other lifecycle callbacks, these callbacks become 1st in line which makes things highly complicated.Also, when trying to support Firefox #53 both tests from before and after this discovery are vulnerable.
The text was updated successfully, but these errors were encountered: