fix(goto): restrict autoconsent eval to main frame via nonce

page.exposeFunction propagates bindings to every frame, including
cross-origin iframes.  A malicious iframe could call
autoconsentSendMessage({type:'eval', code:'…'}) and page.evaluate
would execute that code in the main frame's context, bypassing the
Same-Origin Policy (same pattern as the DuckDuckGo Android UXSS,
CVSS 8.6).

Generate a per-page random nonce and wrap the binding in the top frame
only (window.self === window.top) so every legitimate message carries
it.  Child frames keep the raw CDP binding which lacks the nonce, so
their messages are silently rejected by the handler.

Made-with: Cursor

Author: Kikobeats

packages/goto/src/adblock.js

@@ -1,6 +1,8 @@
 'use strict'
 
 const { PuppeteerBlocker } = require('@ghostery/adblocker-puppeteer')
+const { randomUUID } = require('crypto')
+const pTimeout = require('p-timeout')
 const fs = require('fs/promises')
 const path = require('path')
 
@@ -84,12 +86,14 @@ const sendMessage = (page, message) =>
     }, message)
     .catch(() => {})
 
-const setupAutoConsent = async page => {
+const setupAutoConsent = async (page, timeout) => {
   if (page._autoconsentSetup) return
   const autoconsentPlaywrightScript = await getAutoconsentPlaywrightScript()
+  const nonce = randomUUID()
 
   await page.exposeFunction('autoconsentSendMessage', async message => {
     if (!message || typeof message !== 'object') return
+    if (message.__nonce !== nonce) return
 
     if (message.type === 'init') {
       return sendMessage(page, { type: 'initResp', config: autoconsentConfig })
@@ -98,12 +102,21 @@ const setupAutoConsent = async page => {
     if (message.type === 'eval') {
       let result = false
       try {
-        result = await page.evaluate(message.code)
+        result = await pTimeout(page.evaluate(message.code), timeout)
       } catch {}
       return sendMessage(page, { type: 'evalResp', id: message.id, result })
     }
   })
 
+  /* Wrap the binding in the top frame so every outgoing message carries the
+     nonce.  Child frames (including cross-origin iframes) keep the raw CDP
+     binding which lacks the nonce, so their messages are silently rejected. */
+  await page.evaluateOnNewDocument(n => {
+    if (window.self !== window.top) return
+    const raw = window.autoconsentSendMessage
+    if (raw) window.autoconsentSendMessage = msg => raw({ ...msg, __nonce: n })
+  }, nonce)
+
   await page.evaluateOnNewDocument(autoconsentPlaywrightScript)
   page._autoconsentSetup = true
 }
@@ -119,7 +132,7 @@ const enableBlockingInPage = (page, run, actionTimeout) => {
 
   return [
     run({
-      fn: setupAutoConsent(page),
+      fn: setupAutoConsent(page, actionTimeout),
       timeout: actionTimeout,
       debug: 'autoconsent:setup'
     }),

packages/goto/test/unit/adblock/index.js

@@ -115,6 +115,85 @@ test('autoconsent eval that throws still sends evalResp with result false', asyn
   t.is(received.result, false)
 })
 
+test('autoconsent eval that hangs is timed out', async t => {
+  const browserless = await getBrowserContext(t)
+  const url = await getUrl(t)
+
+  const run = browserless.withPage((page, goto) => async () => {
+    await goto(page, { url })
+
+    return page.evaluate(() => {
+      return new Promise(resolve => {
+        const timeout = setTimeout(() => resolve(null), 10000)
+        window.autoconsentReceiveMessage = msg => {
+          if (msg.type === 'evalResp' && msg.id === 'test-hang') {
+            clearTimeout(timeout)
+            resolve(msg)
+          }
+        }
+        window
+          .autoconsentSendMessage({
+            type: 'eval',
+            id: 'test-hang',
+            code: 'new Promise(() => {})'
+          })
+          .catch(() => {})
+      })
+    })
+  })
+
+  const received = await run()
+  t.truthy(received, 'evalResp should be received even when eval code hangs')
+  t.is(received.type, 'evalResp')
+  t.is(received.id, 'test-hang')
+  t.is(received.result, false)
+})
+
+test('eval triggered from child frame is rejected', async t => {
+  const browserless = await getBrowserContext(t)
+
+  const url = await runServer(t, ({ req, res }) => {
+    res.setHeader('content-type', 'text/html')
+    if (req.url === '/frame') {
+      return res.end('<html><body></body></html>')
+    }
+    res.end('<html><body><iframe src="/frame"></iframe></body></html>')
+  })
+
+  const run = browserless.withPage((page, goto) => async () => {
+    await goto(page, { url, waitUntil: 'load' })
+
+    const iframeEl = await page.waitForSelector('iframe')
+    const iframe = await iframeEl.contentFrame()
+
+    await page.evaluate(() => {
+      window.__iframeEval = false
+    })
+
+    const hasBinding = await iframe
+      .evaluate(() => typeof window.autoconsentSendMessage === 'function')
+      .catch(() => false)
+
+    if (!hasBinding) return false
+
+    await iframe.evaluate(() => {
+      window
+        .autoconsentSendMessage({
+          type: 'eval',
+          id: 'frame-eval',
+          code: 'window.__iframeEval = true'
+        })
+        .catch(() => {})
+    })
+
+    await new Promise(resolve => setTimeout(resolve, 1000))
+    return page.evaluate(() => window.__iframeEval)
+  })
+
+  const result = await run()
+  t.is(result, false, 'eval from child frame must not execute in main frame')
+})
+
 test('`disableAdblock` removes blocker listeners and keeps request interception enabled', async t => {
   const browserless = await getBrowserContext(t)
   const url = await getUrl(t)