rwaldron
Repos
797
Followers
3935
Following
53

Events

fix: add ShadowRealm enablement option for virtual environment creation in near-membrane

test: add minimum test for ShadowRealm virtual environment, with instructions

Created at 1 week ago

test: add minimum test for ShadowRealm virtual environment, with instructions

Created at 1 week ago

test: add minimum test for ShadowRealm virtual environment, with instructions

Created at 1 week ago

test: add minimum test for ShadowRealm virtual environment, with instructions

Created at 1 week ago

fix: add ShadowRealm enablement option for virtual environment creation in near-membrane

Created at 1 week ago
closed issue
Snow can be bypassed with window.parent.alert(...)

Reproduce by running:

window.parent.alert(1);

In https://lavamoat.github.io/snow/demo/

Created at 1 week ago
issue comment
Snow can be bypassed with window.parent.alert(...)

Yep, same environment issue I described in https://github.com/LavaMoat/snow/issues/68

Created at 1 week ago
closed issue
Snow can be bypassed with postMessage from iframe by accessing event.source and event.currentTarget

Reproduce by running

const handler = (event) => {
  event.currentTarget.alert(1)
  event.source.alert(1);
  window.removeEventListener('message', handler);
};

window.addEventListener('message', handler);

const iframe = document.createElement('iframe');

document.body.append(iframe);

const script = iframe.contentDocument.createElement('script');
script.textContent = `
  window.parent.postMessage(0, '*');
`;

iframe.contentDocument.body.append(script);

In https://lavamoat.github.io/snow/demo/

Created at 1 week ago
issue comment
Snow can be bypassed with postMessage from iframe by accessing event.source and event.currentTarget

I just realized that I hadn't refreshed the demo page, so my previous changes were still active in the global object. lol, realms are hard 🤦

Created at 1 week ago
opened issue
Snow can be bypassed with postMessage from iframe by accessing event.source and event.currentTarget

Reproduce by running

const handler = (event) => {
  event.currentTarget.alert(1)
  event.source.alert(1);
  window.removeEventListener('message', handler);
};

window.addEventListener('message', handler);

const iframe = document.createElement('iframe');

document.body.append(iframe);

const script = iframe.contentDocument.createElement('script');
script.textContent = `
  window.parent.postMessage(0, '*');
`;

iframe.contentDocument.body.append(script);

In https://lavamoat.github.io/snow/demo/

Created at 1 week ago
opened issue
Snow can be bypassed with window.parent.alert(...)

Reproduce by running:

window.parent.alert(1);

In https://lavamoat.github.io/snow/demo/

Created at 1 week ago
issue comment
Snow can be bypassed with document.open('', '', '')

Ref: https://html.spec.whatwg.org/multipage/dynamic-markup-insertion.html#opening-the-input-stream

Created at 1 week ago
opened issue
Snow can be bypassed with document.open('', '', '')

Reproduce by running:

const w = document.open('', '', '')
window.alert = w.parent.alert.bind(window);
alert(1);

In https://lavamoat.github.io/snow/demo/

Created at 1 week ago

chore: cleanup lint warnings (#411)

release: v0.12.1

fix: update near-membrane-dom to use ShadowRealm, fallback to iframe

fix: add ShadowRealm enablement option for virtual environment creation in near-membrane

Created at 1 week ago
issue comment
fix: update near-membrane-dom to use ShadowRealm

Rebased!

Created at 2 weeks ago

chore: code style parity with locker (#377)

release: v0.11.1

fix: @W-11612697 avoid v8 perf de-opt for Array#splice (#379)

chore: @W-11668801 update deps (#380)

feat: @W-11668835 remove 'any' type from startActivity (#381)

build(package): add repository info to all public packages (#383)

Adding repository details to all published packages.

Co-authored-by: John-David Dalton john.david.dalton@gmail.com

feat: @W-11668812 explicitly import/export types (#382)

release: v0.11.2

chore: @W-11668801 update deps (#385)

release: v0.11.3

fix: align @rollup/plugin-node-resolve version with locker

fix: restore downgrade to karma-rollup-preprocessor to 7.0.7 (#387)

Ref: https://github.com/salesforce/near-membrane/commit/b8e5fa524467d3086edc791cef4895a09a0627b8

feat: @W-11665503 add support for liveTargetCallback (#388)

release: v0.11.4

minor: rename master to main (#390)

Co-authored-by: John-David Dalton john.david.dalton@gmail.com

chore: @W-11765740 cleanup scripts (#391)

fix: @W-11771403 support proxies that have get traps but not getOwnPropertyDescriptor traps (#392)

feat: @W-11752332 add shared and shared-dom packages (#393)

release: v0.11.5

feat: @W-11801357 add trackTargetAsFast (#394)

Created at 2 weeks ago
delete branch
rwaldron delete branch jdalton/iframe-revoked
Created at 2 weeks ago

feat: @W-12357687 make alive iframe a revoked proxy (#410)

  • chore: cleanup var names

  • feat: @W-12357687 make alive iframe a revoked proxy

Created at 2 weeks ago
pull request closed
feat: @W-12357687 make alive iframe a revoked proxy

feat: @W-12357687 make alive iframe a revoked proxy

Created at 2 weeks ago

[[FIX]] Correct error message

With the exception of for..of and for..in heads, constant binding declarations which lack an initializer are syntactically invalid. Despite this, the warning emitted for the construction suggests that the problem lies in runtime behavior. In fact, the constant is not initialized to any value because the code is never evaluated.

Rephrase the warning to more accurately describe the issue.

Created at 2 months ago
pull request closed
[[FIX]] Correct error message

With the exception of for..of and for..in heads, constant binding declarations which lack an initializer are syntactically invalid. Despite this, the warning emitted for the construction suggests that the problem lies in runtime behavior. In fact, the constant is not initialized to any value because the code is never evaluated.

Rephrase the warning to more accurately describe the issue.

Created at 2 months ago

[[FIX]] Allow initializing const bindings to undef

Warning W080 is inappropriate for constant bindings because, unlike var and let declarations, const requires an initializer.

Relax the emission of W080 to allow initializing constant bindings with undefined. Add unit tests to verify that the warning continues to be emitted for constant bindings declared in ES2015 destructuring patterns.

Created at 2 months ago