fix(goto): restrict autoconsent eval to main frame via nonce

page.exposeFunction propagates bindings to every frame, including
cross-origin iframes.  A malicious iframe could call
autoconsentSendMessage({type:'eval', code:'…'}) and page.evaluate
would execute that code in the main frame's context, bypassing the
Same-Origin Policy (same pattern as the DuckDuckGo Android UXSS,
CVSS 8.6).

Generate a per-page random nonce and wrap the binding in the top frame
only (window.self === window.top) so every legitimate message carries
it.  Child frames keep the raw CDP binding which lacks the nonce, so
their messages are silently rejected by the handler.

Made-with: Cursor

Author: Kikobeats

packages/goto/src/adblock.js

@@ -1,6 +1,7 @@
 'use strict'
 
 const { PuppeteerBlocker } = require('@ghostery/adblocker-puppeteer')
+const { randomUUID } = require('crypto')
 const fs = require('fs/promises')
 const path = require('path')
 
@@ -87,9 +88,11 @@ const sendMessage = (page, message) =>
 const setupAutoConsent = async page => {
   if (page._autoconsentSetup) return
   const autoconsentPlaywrightScript = await getAutoconsentPlaywrightScript()
+  const nonce = randomUUID()
 
   await page.exposeFunction('autoconsentSendMessage', async message => {
     if (!message || typeof message !== 'object') return
+    if (message.__nonce !== nonce) return
 
     if (message.type === 'init') {
       return sendMessage(page, { type: 'initResp', config: autoconsentConfig })
@@ -104,6 +107,15 @@ const setupAutoConsent = async page => {
     }
   })
 
+  /* Wrap the binding in the top frame so every outgoing message carries the
+     nonce.  Child frames (including cross-origin iframes) keep the raw CDP
+     binding which lacks the nonce, so their messages are silently rejected. */
+  await page.evaluateOnNewDocument(n => {
+    if (window.self !== window.top) return
+    const raw = window.autoconsentSendMessage
+    if (raw) window.autoconsentSendMessage = msg => raw({ ...msg, __nonce: n })
+  }, nonce)
+
   await page.evaluateOnNewDocument(autoconsentPlaywrightScript)
   page._autoconsentSetup = true
 }

packages/goto/test/unit/adblock/index.js

@@ -115,6 +115,51 @@ test('autoconsent eval that throws still sends evalResp with result false', asyn
   t.is(received.result, false)
 })
 
+test('eval triggered from child frame is rejected', async t => {
+  const browserless = await getBrowserContext(t)
+
+  const url = await runServer(t, ({ req, res }) => {
+    res.setHeader('content-type', 'text/html')
+    if (req.url === '/frame') {
+      return res.end('<html><body></body></html>')
+    }
+    res.end('<html><body><iframe src="/frame"></iframe></body></html>')
+  })
+
+  const run = browserless.withPage((page, goto) => async () => {
+    await goto(page, { url, waitUntil: 'load' })
+
+    const iframeEl = await page.waitForSelector('iframe')
+    const iframe = await iframeEl.contentFrame()
+
+    await page.evaluate(() => {
+      window.__iframeEval = false
+    })
+
+    const hasBinding = await iframe
+      .evaluate(() => typeof window.autoconsentSendMessage === 'function')
+      .catch(() => false)
+
+    if (!hasBinding) return false
+
+    await iframe.evaluate(() => {
+      window
+        .autoconsentSendMessage({
+          type: 'eval',
+          id: 'frame-eval',
+          code: 'window.__iframeEval = true'
+        })
+        .catch(() => {})
+    })
+
+    await new Promise(resolve => setTimeout(resolve, 1000))
+    return page.evaluate(() => window.__iframeEval)
+  })
+
+  const result = await run()
+  t.is(result, false, 'eval from child frame must not execute in main frame')
+})
+
 test('`disableAdblock` removes blocker listeners and keeps request interception enabled', async t => {
   const browserless = await getBrowserContext(t)
   const url = await getUrl(t)