Awesome Javascript Realms Security

Curated list of Javascript Realms Security resources (also known as The Same Origin Concern)

Abstract

Due to the rise of dependencies based development, the javascript ecosystem (and the browser javascript ecosystem in particular) is far more vulnerable to the rising major problem we know as “supply chain attacks”.

Therefore, many different supply chain security solutions were introduced to the industry as well, focusing on different ends of it, ranging from build time to runtime protection.

However, runtime browser based protections usually lack a major component in their solutions, one that mostly leaves such solutions completely vulnerable, almost as if they were never there.

Realms (aka iframes in the browser) is an ancient and legitimate concept that goes through a horrific spinoff in the context of bypassing browser based supply chain security attempts.

And the worst part is that carrying out attacks is so easy with realms, but defending realms is so complicated.

It's time to dive into the so important yet ignored layer in securing against unwanted code execution - it's time to talk about the javascript realms blank spot and its offensive/defensive security aspects.

It is important to note that the scope here is specifically around how unwanted code execution in the top main realm of a web app can bypass protections applied to that realm by leveraging another same origin child realm created by the attacker. There are other attacks involving iframes to be aware of (e.g. iframe injection, clickjacking, phishing and more), but those are out of the scope of this repository.

Realms

Spec & Docs

• tc39 Realms ⭐️
• tc39 Agents (parent entity of realms)
• tc39 Agent Clusters (parent entity of agents)

Content

• What is a realm in javascript? ⭐️
• The Same Origin Concern ⭐️

iFrames

Spec & Docs

• mdn iFrames
• html iFrames

Realms(/iFrames) Security

Content

• Realms role in supply chain attacks ⭐️
• Introduction - What is realms security? ⭐️

In the wild

• Skimmer acts as payment service provider via rogue iframe - by malwarebytes

Tools

• Snow JS ❄️ ⭐️ - the most secure tool out there for hermatic realms ownership
  • Introduction to Snow - the rise of supply chain attacks and how it all lead to creating Snow
  • Integrating Snow into MetaMask ⭐️ - understanding how supply chain attacks affect web apps such as MetaMask 🦊, how MetaMask develops LavaMoat to defend against those, and why it also needs Snow
  • Live demo ⭐️ - can you bypass snow?
  • Technical explanation ⭐️
  • Source code