Bypass using nested iframe

[mmndaniel]

var d = document.createElement('div');
document.body.appendChild(d);
d.innerHTML = `
<iframe srcdoc="<iframe></iframe><script>frames[0].alert(1)</script>">
</iframe>`;

No src, srcdoc, attributes, listeners, etc... so it's just left unhooked.

[weizman]

This is a cool one actually.
It was a conscious decision in Snow to not attempt to protect the initial HTML from same origin realms, but only JS created same origin realms (hard to explain why, mostly because it's usually out of Snow's power to attempt to accomplish that in the first place).
However, Snow not taking that into consideration, allows achieving that state with the "initial" HTML of a child frame rather the top.
And that is something Snow should take care of.

[weizman]

in other words, a simpler version of your PoC works too:

var d = document.createElement('iframe');
d.srcdoc = `<iframe></iframe><script>frames[0].alert(1)</script>`;
document.body.appendChild(d);

[weizman]

Ok I came up with a draft for the solution but I'm not sure how I feel about it.. #101

In such scenarios (new inner documents such as srcdoc), I am handling dynamic creation of iframes.
What I'm not handling, as described above, is specifically static iframes (iframes that appear in the HTML of the srcdoc itself).

So in #101 I created some code that when srcdoc is called, goes through all frames that are being injected and injects a script tag right afterwards that will take the upper frame and pass it to snow - something like this:

// before
<iframe></iframe>
<script>frames[0].alert(1)</script>

// after
<iframe></iframe>
<script>
	* find iframe above
	* pass it to snow
	* remove this script
</script>
<script>frames[0].alert(1)</script>

This still can be bypassed based on previous, yet to be addressed, issues such as #92 / #90 / etc, which hopefully should be addressed separately.

I hope this solution is hermetic but I feel like I'm too deep into defense here.. would love some help on this @mmndaniel

[weizman]

There might be so many edge cases to trying to parse this HTML and patch it up... might require some more research..