Snow can be bypassed with postMessage from iframe by accessing event.source and event.currentTarget

[rwaldron]

Reproduce by running

const handler = (event) => {
  event.currentTarget.alert(1)
  event.source.alert(1);
  window.removeEventListener('message', handler);
};

window.addEventListener('message', handler);

const iframe = document.createElement('iframe');

document.body.append(iframe);

const script = iframe.contentDocument.createElement('script');
script.textContent = `
  window.parent.postMessage(0, '*');
`;

iframe.contentDocument.body.append(script);

In https://lavamoat.github.io/snow/demo/

[weizman]

Can't seem to reproduce this successfully. Here are the steps I've taken:

1. visit https://lavamoat.github.io/snow/demo/
2. open console
3. paste payload above
4. press enter

Result: Snow successfully captures the alert attempt and logs it to console instead.
Would you mind helping me understand what I'm missing? A video or any other creative idea will be highly appreciated.

[rwaldron]

I just realized that I hadn't refreshed the demo page, so my previous changes were still active in the global object. lol, realms are hard 🤦

[weizman]

lol, yea tell me about it. I feel like I'm closer to madness than adoption with this project tbh.