Merge pull request #2008 from HackTricks-wiki/research_update_src_pentesting-web_xss-cross-site-scripting_iframes-in-xss-and-csp_20260315_130540

Research Update Enhanced src/pentesting-web/xss-cross-site-s...

Author: carlospolop

src/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md

@@ -126,7 +126,7 @@ The research community continues to discover creative ways of abusing iframes to
   console.log(victim.name); // → leaked value
   ```
 
-* **Nonce theft via same-origin iframe (2024)** – CSP nonces are not removed from the DOM; they are merely hidden in DevTools. If an attacker can inject a *same-origin* iframe (for example by uploading HTML to the site) the child frame can simply query `document.querySelector('[nonce]').nonce` and create new `<script nonce>` nodes that satisfy the policy, giving full JavaScript execution despite `strict-dynamic`. The following gadget escalates a markup injection into XSS:
+* **Nonce reuse via same-origin iframe** – CSP nonces are readable from the DOM by same-origin documents. If an attacker can inject or upload a *same-origin* HTML page and load it in an iframe, the child frame can read `top.document.querySelector('[nonce]').nonce` and mint new `<script nonce>` elements. This turns a same-origin HTML injection into full script execution even under `strict-dynamic` (because the nonce is already trusted). The following gadget escalates a markup injection into XSS:
 
   ```javascript
   const n = top.document.querySelector('[nonce]').nonce;
@@ -191,7 +191,9 @@ Since **Chrome 110 (February 2023) the feature is enabled by default** and the s
 
 * Scripts in different credentialless iframes **still share the same top-level origin** and can freely interact via the DOM, making multi-iframe self-XSS attacks feasible (see PoC below).
 * Because the network is **credential-stripped**, any request inside the iframe effectively behaves as an unauthenticated session – CSRF protected endpoints usually fail, but public pages leakable via DOM are still in scope.
+* Storage is **partitioned by a top-level document nonce**: credentialless frames on the same page can share storage with each other, but it is cleared when the top-level document is discarded.
 * Pop-ups spawned from a credentialless iframe get an implicit `rel="noopener"`, breaking some OAuth flows.
+* Browsers are expected to **disable autofill/password managers** inside credentialless iframes, limiting credential theft via autofill in these contexts.
 
 ```javascript
 // PoC: two same-origin credentialless iframes stealing cookies set by a third
@@ -231,6 +233,13 @@ alert(window.top[1].document.cookie);
 
 As indicated in [this article](https://blog.slonser.info/posts/make-self-xss-great-again/) The API `fetchLater` allows to configure a request to be executed later (after a certain time). Therefore, this can be abused to for example, login a victim inside an attackers session (with Self-XSS), set a `fetchLater` request (to change the password of the current user for example) and logout from the attackers session. Then, the victim logs in in his own session and the `fetchLater` request will be executed, changing the password of the victim to the one set by the attacker.
 
+Operational notes:
+
+- `fetchLater` is still an emerging API with limited browser support; feature-detect before relying on it.
+- The response is **not** available to JavaScript; body/headers are ignored once the deferred request is sent.
+- CSP enforcement uses `connect-src` (not `script-src`) for deferred requests.
+- Requests fire on page unload or when `activateAfter` expires (whichever happens first).
+
 This way even if the victim URL cannot be loaded in an iframe (due to CSP or other restrictions), the attacker can still execute a request in the victim's session.
 
 
@@ -272,5 +281,7 @@ Check the following pages:
 ## References
 
 * [PortSwigger Research – Using form hijacking to bypass CSP (March 2024)](https://portswigger.net/research/using-form-hijacking-to-bypass-csp)
+* [PortSwigger Research – Bypassing CSP with dangling iframes (Jun 2022)](https://portswigger.net/research/bypassing-csp-with-dangling-iframes)
 * [Chrome Developers – Iframe credentialless: Easily embed iframes in COEP environments (Feb 2023)](https://developer.chrome.com/blog/iframe-credentialless)
+* [MDN – Window.fetchLater()](https://developer.mozilla.org/en-US/docs/Web/API/Window/fetchLater)
 {{#include ../../banners/hacktricks-training.md}}