797
3935
53
Events
fix: add ShadowRealm enablement option for virtual environment creation in near-membrane
test: add minimum test for ShadowRealm virtual environment, with instructions
test: add minimum test for ShadowRealm virtual environment, with instructions
test: add minimum test for ShadowRealm virtual environment, with instructions
test: add minimum test for ShadowRealm virtual environment, with instructions
fix: add ShadowRealm enablement option for virtual environment creation in near-membrane
Snow can be bypassed with window.parent.alert(...)
Reproduce by running:
window.parent.alert(1);
In https://lavamoat.github.io/snow/demo/
Snow can be bypassed with window.parent.alert(...)
Yep, same environment issue I described in https://github.com/LavaMoat/snow/issues/68
Snow can be bypassed with postMessage from iframe by accessing event.source and event.currentTarget
Reproduce by running
const handler = (event) => {
event.currentTarget.alert(1)
event.source.alert(1);
window.removeEventListener('message', handler);
};
window.addEventListener('message', handler);
const iframe = document.createElement('iframe');
document.body.append(iframe);
const script = iframe.contentDocument.createElement('script');
script.textContent = `
window.parent.postMessage(0, '*');
`;
iframe.contentDocument.body.append(script);
In https://lavamoat.github.io/snow/demo/
Snow can be bypassed with postMessage from iframe by accessing event.source and event.currentTarget
I just realized that I hadn't refreshed the demo page, so my previous changes were still active in the global object. lol, realms are hard 🤦
Snow can be bypassed with postMessage from iframe by accessing event.source and event.currentTarget
Reproduce by running
const handler = (event) => {
event.currentTarget.alert(1)
event.source.alert(1);
window.removeEventListener('message', handler);
};
window.addEventListener('message', handler);
const iframe = document.createElement('iframe');
document.body.append(iframe);
const script = iframe.contentDocument.createElement('script');
script.textContent = `
window.parent.postMessage(0, '*');
`;
iframe.contentDocument.body.append(script);
In https://lavamoat.github.io/snow/demo/
Snow can be bypassed with window.parent.alert(...)
Reproduce by running:
window.parent.alert(1);
In https://lavamoat.github.io/snow/demo/
Snow can be bypassed with document.open('', '', '')
Ref: https://html.spec.whatwg.org/multipage/dynamic-markup-insertion.html#opening-the-input-stream
Snow can be bypassed with document.open('', '', '')
Reproduce by running:
const w = document.open('', '', '')
window.alert = w.parent.alert.bind(window);
alert(1);
In https://lavamoat.github.io/snow/demo/
chore: cleanup lint warnings (#411)
release: v0.12.1
fix: update near-membrane-dom to use ShadowRealm, fallback to iframe
fix: add ShadowRealm enablement option for virtual environment creation in near-membrane
fix: update near-membrane-dom to use ShadowRealm
Rebased!
chore: code style parity with locker (#377)
release: v0.11.1
fix: @W-11612697 avoid v8 perf de-opt for Array#splice (#379)
chore: @W-11668801 update deps (#380)
feat: @W-11668835 remove 'any' type from startActivity (#381)
build(package): add repository info to all public packages (#383)
Adding repository details to all published packages.
Co-authored-by: John-David Dalton john.david.dalton@gmail.com
feat: @W-11668812 explicitly import/export types (#382)
release: v0.11.2
chore: @W-11668801 update deps (#385)
release: v0.11.3
fix: align @rollup/plugin-node-resolve version with locker
fix: restore downgrade to karma-rollup-preprocessor to 7.0.7 (#387)
Ref: https://github.com/salesforce/near-membrane/commit/b8e5fa524467d3086edc791cef4895a09a0627b8
feat: @W-11665503 add support for liveTargetCallback (#388)
release: v0.11.4
minor: rename master to main (#390)
Co-authored-by: John-David Dalton john.david.dalton@gmail.com
chore: @W-11765740 cleanup scripts (#391)
fix: @W-11771403 support proxies that have get traps but not getOwnPropertyDescriptor traps (#392)
feat: @W-11752332 add shared and shared-dom packages (#393)
release: v0.11.5
feat: @W-11801357 add trackTargetAsFast (#394)
feat: @W-12357687 make alive iframe a revoked proxy (#410)
-
chore: cleanup var names
-
feat: @W-12357687 make alive iframe a revoked proxy
feat: @W-12357687 make alive iframe a revoked proxy
feat: @W-12357687 make alive iframe a revoked proxy
rwaldron push jshint/jshint
[[FIX]] Correct error message
With the exception of for..of and for..in heads, constant binding
declarations which lack an initializer are syntactically invalid.
Despite this, the warning emitted for the construction suggests that the
problem lies in runtime behavior. In fact, the constant is not
initialized to any value because the code is never evaluated.
Rephrase the warning to more accurately describe the issue.
[[FIX]] Correct error message
With the exception of for..of and for..in heads, constant binding declarations which lack an initializer are syntactically invalid. Despite this, the warning emitted for the construction suggests that the problem lies in runtime behavior. In fact, the constant is not initialized to any value because the code is never evaluated.
Rephrase the warning to more accurately describe the issue.
rwaldron push jshint/jshint
[[FIX]] Allow initializing const bindings to undef
Warning W080 is inappropriate for constant bindings because, unlike
var and let declarations, const requires an initializer.
Relax the emission of W080 to allow initializing constant bindings with
undefined. Add unit tests to verify that the warning continues to be
emitted for constant bindings declared in ES2015 destructuring patterns.
