Snow can be bypassed with declarative shadow DOM passed as object instead of string

[avlidienbrunn]

When checking if an inserter function contains shadow DOM, the code expects the argument to be a string (argument is added as innerHTML on a new html tag).

But many of the functions do not operate on strings, so the "checked" HTML becomes something like:

Furthermore, elements inside shadow DOM will not be found when looking for frames using querySelectorAll, so we can just insert shadow DOM (as a DOM node, not string) containing an iframe, and use that:

shadowed = `<o-o id=z><template shadowroot="open"><iframe></iframe></template></o-o>`;
document.documentElement.appendChild(new DOMParser().parseFromString(shadowed, 'text/html', {includeShadowRoots: true}).documentElement);
z.shadowRoot.querySelector('iframe').contentWindow.alert(1);

[naugtur]

Thanks for contributing. The main maintainer of this project is temporary unavailable, but we'll definitely get back to this.
The plan is to tighten some limitations on DOM usage that Snow already introduces and fixing the missing overrides where possible. Some of the work has started (see PR tab)

Meanwhile we're also working with W3C to propose a basic building block of Snow getting introduced into the browser so that all of the monkey-patching can be eliminated in the future. https://www.w3.org/2023/03/secure-the-web-forward/talks/realms.html

Feel free to update this issue with comments on how you think it should be addressed. We may reach out with questions later.