Critical Thinking - Bug Bounty Podcast Episode 151: Client-side Advanced Topics
13 snips
Dec 4, 2025 Dive into the nuances of third-party cookies and learn how Chrome's partitioning impacts security. Discover clever iframe tricks and the intricacies of postMessage for cross-window communication. Explore the dangers of URL parsing quirks and how they can open doors to novel attacks. From sandboxed iframes to managing window hijacking, this conversation offers fresh insights into advanced client-side vulnerabilities and strategies to defend against them.
AI Snips
Chapters
Transcript
Episode notes
How Chrome Partitions Third-Party Cookies
- Chrome 'CHIPS' partitioned cookies tie cookies to an ETLD+1 plus the iframe host, limiting cross-site access unless ETLD+1 matches.
- Look for the Partitioned attribute on cookies to reason about iframe cookie access constraints.
Verify PostMessage Listeners, Not Senders
- When auditing postMessage, inspect event.data, event.source, and event.origin inside listeners rather than trusting senders.
- Probe for null-origin sandboxed iframes and test if event.origin == window.origin checks can be bypassed.
Null Origins Can Break Origin Checks
- A sandboxed iframe without allow-same-origin gets an opaque null origin that intentionally fails same-origin checks.
- If a sandboxed iframe opens a popup, that popup can inherit the null origin and bypass naive origin string checks.