weizman
commented
1 year ago Some thoughts
- Started #118 which attempts to introduce a base line of CSP to fight off the issues we no longer sure we can solve without it
- In order for this project to work, we need a good infra for that
- We need to create an easy way to tell websites if their current CSP allows bypass of Snow
- To do that, would be neat to have a website that fetches the CSP of a web app, applies it to itself and then runs all of Snow tests
- Or, maybe instead we should support running snow's current tests against any given website by demand?
- Also, we need to communicate somehow what's the needed CSP to help Snow stay bulletproof.
- I don't yet know if the current CSP implemented in #118 is enough to hold off all snow vulns, including open ones, need to verify
- And from the other end, need to make sure current #118 CSP isn't too harsh, would be great to see if it works on MM
- What would also help is if we communicate the importance of implementing Snow in all same origin pages, this should help with issues such as #73
I'm lately coming to the realization that Snow cannot protect same origin realms completely and will need some help from CSP. I'd like to start an initiative around encouraging users to remember to use Snow while implementing some baseline of CSP. This creates a few tasks:
This is important for the future of Snow because it's probably close to useless without CSP since there are some techniques Snow cannot defend against (unfortunately).