[vulnerability][demo][acl] No ACLs for iframe.contentWindow

[t2ym]

[vulnerability][demo][acl] No ACLs for iframe.contentWindow

Root Cause

• ACLs for global objects are not applied to iframe.contentWindow, which is a global object.

WARNING

• Access to iframe.contentWindow must be limited to minimum or no access since full ACLs are NOT applied to the global objects in the iframe. See [vulnerability][demo][acl] Full ACLs are not applied to iframe.contentWindow #239

    HTMLIFrameElement: {
      [S_CHAIN]: () => acl.HTMLElement,
      [S_PROTOTYPE]: {
        [S_CHAIN]: S_CHAIN,
        [S_INSTANCE]: {
          [S_CHAIN]: S_CHAIN,
          contentDocument: '---',
          contentWindow: '---',
        },
      },
    },

Fix

    HTMLIFrameElement: {
      [S_CHAIN]: () => acl.HTMLElement,
      [S_PROTOTYPE]: {
        [S_CHAIN]: S_CHAIN,
        [S_INSTANCE]: {
          [S_CHAIN]: S_CHAIN,
          contentWindow: {
            [S_DEFAULT]: '---',
            '@iframe_contentWindow_accessor': function _iframeContentWindowAcl(
                normalizedThisArg,
                normalizedArgs /* ['property', args], ['property', value], etc. */,
                aclArgs /* [name, isStatic, isObject, property, opType, context] */,
                hookArgs /* [f, thisArg, args, context, newTarget] */,
                applyAcl /* for recursive application of ACL */) {
              let opType = aclArgs[4];
              if (opType === 'r') {
                Policy.trackClass('window', normalizedThisArg[normalizedArgs[0]]);
              }
              return 'r--'[opTypeMap[opType]] === opType; // equivalent to 'r--' acl
            },
          },
        },
      },
    },