		@@ -1287,2 +1287,2 @@ /**
		export { distortions$1 as distortions, makeElementDistortionsForSandbox, nsDistortions$3 as nsDistortions };
		/** version: 0.11.11 */
		/** version: 0.11.15 */

212

docs/distortions.md

		@@ -52,10 +52,2 @@ <!-- START doctoc generated TOC please keep comment here to allow auto update -->
		- [Distorted Behavior](#distorted-behavior-6)
		- [get: HTMLIframeElement.prototype.contentWindow](#get-htmliframeelementprototypecontentwindow)
		- [Goal](#goal-5)
		- [Design](#design-5)
		- [Distorted behavior](#distorted-behavior-5)
		- [set: HTMLIFrameElement.prototype.src](#set-htmliframeelementprototypesrc)
		- [Goal](#goal-6)
		- [Design](#design-6)
		- [Distorted behavior](#distorted-behavior-6)
		- [nonce: HTMLElement.prototype](#nonce-htmlelementprototype)
		@@ -74,19 +66,22 @@ - [WindowEventHandlers: HTMLElement.prototype](#windoweventhandlers-htmlelementprototype)
		- [Distorted Behavior](#distorted-behavior-9)
		- [value: NamedNodeMap.prototype.setNamedItem](#value-namednodemapprototypesetnameditem)
		- [get: HTMLIframeElement.prototype.contentWindow](#get-htmliframeelementprototypecontentwindow)
		- [Goal](#goal-5)
		- [Design](#design-5)
		- [Distorted behavior](#distorted-behavior-5)
		- [set: HTMLIFrameElement.prototype.src](#set-htmliframeelementprototypesrc)
		- [Goal](#goal-6)
		- [Design](#design-6)
		- [Distorted behavior](#distorted-behavior-6)
		- [get: HTMLScriptElement.prototype.src](#get-htmlscriptelementprototypesrc)
		- [Goal](#goal-7)
		- [Design](#design-7)
		- [Distorted behavior](#distorted-behavior-7)
		- [get: HTMLScriptElement.prototype.src](#get-htmlscriptelementprototypesrc)
		- [set: HTMLScriptElement.prototype.src](#set-htmlscriptelementprototypesrc)
		- [Goal](#goal-8)
		- [Design](#design-8)
		- [Distorted behavior](#distorted-behavior-8)
		- [set: HTMLScriptElement.prototype.src](#set-htmlscriptelementprototypesrc)
		- [value: NamedNodeMap.prototype.setNamedItem](#value-namednodemapprototypesetnameditem)
		- [Goal](#goal-9)
		- [Design](#design-9)
		- [Distorted behavior](#distorted-behavior-9)
		- [get: Navigator.prototype.serviceWorker](#get-navigatorprototypeserviceworker)
		- [Problem statement](#problem-statement)
		- [Goal](#goal-10)
		- [Design](#design-10)
		- [Distorted behavior](#distorted-behavior-10)
		- [set: Node.prototype.textContent [Main]](#set-nodeprototypetextcontent-main)
		@@ -98,2 +93,7 @@ - [Summary](#summary-10)
		- [Distorted Behavior](#distorted-behavior-11)
		- [get: Navigator.prototype.serviceWorker](#get-navigatorprototypeserviceworker)
		- [Problem statement](#problem-statement)
		- [Goal](#goal-10)
		- [Design](#design-10)
		- [Distorted behavior](#distorted-behavior-10)
		- [href attribute and xlink:href attribute on SVGUseElement](#href-attribute-and-xlinkhref-attribute-on-svguseelement)
		@@ -543,49 +543,2 @@ - [Summary](#summary-12)

		<a name="htmliframeelementdocscontentwindow-gettermd"></a>

		## get: HTMLIframeElement.prototype.contentWindow

		To reduce the surface area of possible exploit we produce an artificial
		`contentWindow` object. At a later time we may explore nesting sandboxes,
		but in the interest of simplicity and moving things along we have decided to
		keep things simple.

		### Goal
		- Do not expose the real raw `contentWindow`
		- Restrict access to a small curated list of properties

		### Design

		Create an artificial `contentWindow` object with a curated list of properties
		- close
		- closed
		- focus
		- opener
		- parent
		- postMessage

		### Distorted behavior
		- Return an artificial `contentWindow` object per iframe
		- Cache the artificial `contentWindow` object for subsequent accesses


		<a name="htmliframeelementdocssrc-settermd"></a>

		## set: HTMLIFrameElement.prototype.src

		Restrict supported src values to those that sanitize to http:// and https://
		schemes.

		### Goal
		- Prevent URL schemes like javascript://

		### Design

		Only allow `src` values with validated schemes to be set.

		### Distorted behavior
		- Log a console warning for HTMLIFrameElement.src values that don't sanitize
		to http:// or https:// schemes


		<a name="htmlelementdocsindexmd"></a>
		@@ -700,35 +653,48 @@

		<a name="namednodemapdocssetnameditem-valuemd"></a>
		<a name="htmliframeelementdocscontentwindow-gettermd"></a>

		## value: NamedNodeMap.prototype.setNamedItem
		## get: HTMLIframeElement.prototype.contentWindow

		It is possible to set an attribute on an element using the methods available on NamedNodeMap. For example:
		To reduce the surface area of possible exploit we produce an artificial
		`contentWindow` object. At a later time we may explore nesting sandboxes,
		but in the interest of simplicity and moving things along we have decided to
		keep things simple.

		```
		const el = document.createElement('link');
		const attr = document.createAttribute('rel');
		attr.value = 'import';
		el.attributes.setNamedItem(attr);
		```
		### Goal
		- Do not expose the real raw `contentWindow`
		- Restrict access to a small curated list of properties

		This would bypass our distortions for named properties and setAttribute\*. For this reason we need to distort `NamedNodeMap.prototype.setNamedItem`.
		### Design

		Create an artificial `contentWindow` object with a curated list of properties
		- close
		- closed
		- focus
		- opener
		- parent
		- postMessage

		### Distorted behavior
		- Return an artificial `contentWindow` object per iframe
		- Cache the artificial `contentWindow` object for subsequent accesses


		<a name="htmliframeelementdocssrc-settermd"></a>

		## set: HTMLIFrameElement.prototype.src

		Restrict supported src values to those that sanitize to http:// and https://
		schemes.

		### Goal
		- Prevent URL schemes like javascript://

		- invoke registered DOM property distortions in situations like `el.attributes.setNamedItem(...)`

		### Design
		Inside of a NamedNodeMap distortion `this` does not point to an element but to the `attributes` instance. We have no way of understanding which `attributes` instance is for what element. That is why the shared lib of this module provides a `pairElement` utility used in Element.prototype.attributes distortion to pair an element with a NamedNodeMap instance upon accessing the getter of Element.prototype.attributes. Since all operations are synchronous we are guaranteed that the registration happens first followed by invocation later.
		Example:

		el.attributes.setNamedItem(....)
		\| \|
		registration invocation
		Only allow `src` values with validated schemes to be set.

		The registry is a WeakMap since elements can be removed from the page throughout the lifecycle of an application. The distortions are being retrieved from the `setAttributeNode` registry since both methods accept an instance of `Attr`.

		### Distorted behavior
		- Log a console warning for HTMLIFrameElement.src values that don't sanitize
		to http:// or https:// schemes

		- if no distortion is found for an Attr instance then proceed with native invocation of setNamedItem
		- if a distortion exists then the distorted behavior is relative to what that distortion does

		@@ -787,39 +753,36 @@ <a name="htmlscriptelementdocssrc-gettermd"></a>

		<a name="navigatordocsserviceworker-gettermd"></a>
		<a name="namednodemapdocssetnameditem-valuemd"></a>

		## get: Navigator.prototype.serviceWorker
		## value: NamedNodeMap.prototype.setNamedItem

		### Problem statement
		It is possible to set an attribute on an element using the methods available on NamedNodeMap. For example:

		With `ServiceWorker`, it is possible to alter the response of a request to return JavaScript code that would be unsandboxed when evaluated by the browser.

		Example:
		```js
		navigator.serviceWorker.register('/static/sw.js').then(function() {
		window.open('/static/aaa', '_self');
		});
		```

		File /static/sw.js:
		<!-- eslint-disable-next-line no-restricted-globals -->
		```js
		self.addEventListener('fetch', function(event) {
		const unsandboxed = '<body><script>document.body.innerHTML=document.cookie;</script>';
		event.respondWith(new Response(unsandboxed, { headers: { 'Content-Type': 'text/html' } }));
		});
		const el = document.createElement('link');
		const attr = document.createAttribute('rel');
		attr.value = 'import';
		el.attributes.setNamedItem(attr);
		```

		This would bypass our distortions for named properties and setAttribute\*. For this reason we need to distort `NamedNodeMap.prototype.setNamedItem`.

		### Goal

		To prevent unsandboxed JavaScript code from leaking data, we want to disallow access to the `navigator.serviceWorker` property.
		- invoke registered DOM property distortions in situations like `el.attributes.setNamedItem(...)`

		### Design
		Inside of a NamedNodeMap distortion `this` does not point to an element but to the `attributes` instance. We have no way of understanding which `attributes` instance is for what element. That is why the shared lib of this module provides a `pairElement` utility used in Element.prototype.attributes distortion to pair an element with a NamedNodeMap instance upon accessing the getter of Element.prototype.attributes. Since all operations are synchronous we are guaranteed that the registration happens first followed by invocation later.
		Example:

		Patch getter on `Navigator.prototype.serviceWorker` descriptor to return `undefined`.
		el.attributes.setNamedItem(....)
		\| \|
		registration invocation

		The registry is a WeakMap since elements can be removed from the page throughout the lifecycle of an application. The distortions are being retrieved from the `setAttributeNode` registry since both methods accept an instance of `Attr`.

		### Distorted behavior

		Each time code accesses `navigator.serviceWorker` property, this distortion will return `undefined`.
		- if no distortion is found for an Attr instance then proceed with native invocation of setNamedItem
		- if a distortion exists then the distorted behavior is relative to what that distortion does


		<a name="nodedocstextcontent-settermd"></a>
		@@ -853,2 +816,39 @@

		<a name="navigatordocsserviceworker-gettermd"></a>

		## get: Navigator.prototype.serviceWorker

		### Problem statement

		With `ServiceWorker`, it is possible to alter the response of a request to return JavaScript code that would be unsandboxed when evaluated by the browser.

		Example:
		```js
		navigator.serviceWorker.register('/static/sw.js').then(function() {
		window.open('/static/aaa', '_self');
		});
		```

		File /static/sw.js:
		<!-- eslint-disable-next-line no-restricted-globals -->
		```js
		self.addEventListener('fetch', function(event) {
		const unsandboxed = '<body><script>document.body.innerHTML=document.cookie;</script>';
		event.respondWith(new Response(unsandboxed, { headers: { 'Content-Type': 'text/html' } }));
		});
		```

		### Goal

		To prevent unsandboxed JavaScript code from leaking data, we want to disallow access to the `navigator.serviceWorker` property.

		### Design

		Patch getter on `Navigator.prototype.serviceWorker` descriptor to return `undefined`.

		### Distorted behavior

		Each time code accesses `navigator.serviceWorker` property, this distortion will return `undefined`.


		<a name="svguseelementdocshref-attributemd"></a>
		@@ -855,0 +855,0 @@

package.json

		{
		"name": "@locker/distortion",
		"version": "0.11.11",
		"version": "0.11.15",
		"license": "Salesforce Developer Agreement",
		"author": "Salesforce UI Security Team",
		"description": "Locker Next Membrane Distortions",
		@@ -23,6 +25,6 @@ "main": "dist/index.cjs.js",
		"dependencies": {
		"@locker/html-sanitizer": "0.11.11",
		"@locker/shared": "0.11.11",
		"@locker/shared-dom": "0.11.11",
		"@locker/shared-url": "0.11.11"
		"@locker/html-sanitizer": "0.11.15",
		"@locker/shared": "0.11.15",
		"@locker/shared-dom": "0.11.15",
		"@locker/shared-url": "0.11.15"
		},
		@@ -32,6 +34,5 @@ "devDependencies": {
		"concat-md": "0.3.2",
		"rollup-plugin-typescript": "1.0.1",
		"typescript": "3.8.3"
		},
		"gitHead": "edea12f8387424f6b8f26cb9972db921e19c06ee"
		"gitHead": "3195c1166c8dddbe4494deee374365371377051e"
		}

@locker/distortion - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Worsened metrics

Dependency changes