Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ID Attribute framing protection bypass link #140

Open
003random opened this issue Sep 13, 2022 · 3 comments
Open

ID Attribute framing protection bypass link #140

003random opened this issue Sep 13, 2022 · 3 comments

Comments

@003random
Copy link

003random commented Sep 13, 2022

Hi!
I was reading some more about some fun attacks (having much fun reading all of it) and I noticed that https://xsleaks.dev/docs/attacks/id-attribute/ states that framing protections won't defend against the ID attribute XS-Leak.

https://xsleaks.dev/docs/attacks/experiments/portals/ explains more about this, but Im missing a link between these 2 pages. As a reader, it would be very nice to learn about this bypass right after reading in the first link that XFO wont protect against this type of leak.

@003random 003random changed the title ID Attribute non-iframe POC? ID Attribute framing protection bypass link Sep 14, 2022
@terjanq
Copy link
Member

terjanq commented Sep 14, 2022

Looks like COOP and XFO have been switched

@NDevTK
Copy link
Contributor

NDevTK commented Sep 14, 2022

Yeah COOP would only be a defense if scrolling was detectable on a cross-origin window.
Bypassing XFO to leak information using portals would be a security regression so hopefully they don't continue that :/

@NDevTK
Copy link
Contributor

NDevTK commented Nov 6, 2022

@003random PR #141 was merged does this fix the issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants