[vulnerability] Scripts in SVG are not hooked

[t2ym]

[vulnerability] Scripts in SVG are not hooked

Root Causes

• Implementation is missing
• Initial <object data="URL"> requests bypass Service Worker

Fix

• Hook <object data="{URL}"> as data URL for <svg><script>location = "{URL}";</script></svg> to avoid bypassing Service Worker
• Inject bootstrap scripts into SVG (configurations in bootstrap.js)

  hook.parameters.emptySvg = `<?xml version="1.0"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="1px" height="1px"><script>location = "$location$";</script></svg>`;
  hook.parameters.bootstrapSvgScripts = `
    <script xlink:href="${new URL('../../thin-hook/hook.min.js?no-hook=true&hook-name=__hook__&context-generator-name=method&discard-hook-errors=false&fallback-page=index-fb.html&hook-property=true&hook-global=true&hook-prefix=_pp_&compact=true&no-hook-authorization=', baseURI).href.replace(/\&/g, '&amp;') + noHookAuthorization}"></script>
    <script xlink:href="${new URL('no-hook-authorization.js?no-hook=true', baseURI).href}"></script>
    <script xlink:href="${new URL('context-generator.js?no-hook=true', baseURI).href}"></script>
    <script xlink:href="${new URL('bootstrap.js?no-hook=true', baseURI).href}"></script>
    <script xlink:href="${new URL('hook-callback.js?no-hook=true', baseURI).href}"></script>
    <script xlink:href="${new URL('hook-native-api.js?no-hook=true', baseURI).href}"></script>`;

• Hook inline scripts in SVG

Notes

• CDATA scripts are not supported for now
  • < cannot be used in raw scripts in SVG
• data:, blob: URLs are blocked
• SVG scripts via <img> tags are NOT executed by default.

Reproducible Code Examples

      <object id="objectStaticData" data="inline-script.svg"></object>
      <iframe id="iframeStaticSrcSVG" src="inline-script.svg"></iframe>

<?xml version="1.0"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xl="http://www.w3.org/1999/xlink" version="1.1" width="200px" height="200px">
  <script><![CDATA[
    navigator.serviceWorker;
  ]]></script>
  <rect id="rect" x="0px" y="0px" width="200px" height="200px" stroke="blue" fill="white"/>
</svg>

[t2ym]

Reopen

• Hooking is not implemented for the embed element
• ACLs to contentWindow/contentDocument access are missing
• <![CDATA[... ]]> in inline scripts are not supported