What would also help is if we communicate the importance of implementing Snow in all same origin pages, this should help with issues such as https://github.com/LavaMoat/snow/issues/73
Past PRs make it so that exploiting #73 isn't possible if ONE of the following TWO conditions is met:
Snow is correctly implemented in ALL same origin HTML pages served by the server (including 404 and such).
128 is designed so that calling Snow is only necessary in the top main realm, you just need to include the bundle in all pages (or call Snow in all pages too, either way is fine)
Pages correctly allow frame-src CSP only to same-origin or well trusted origins. allowing untrusted cross origin iframes allows #73 to exist when condition (1) isn't met.
Note: is that true when taking open() into consideration too? Need to research...
This ⬆️ needs to be correctly communicated for #73 to be considered addressed.
CTX https://github.com/LavaMoat/snow/issues/109#issuecomment-1618674481:
CTX 2 https://github.com/LavaMoat/snow/issues/73#issuecomment-1638388215:
Bottom line:
Past PRs make it so that exploiting #73 isn't possible if ONE of the following TWO conditions is met:
128 is designed so that calling Snow is only necessary in the top main realm, you just need to include the bundle in all pages (or call Snow in all pages too, either way is fine)
frame-src
CSP only to same-origin or well trusted origins. allowing untrusted cross origin iframes allows #73 to exist when condition (1) isn't met.open()
into consideration too? Need to research...This ⬆️ needs to be correctly communicated for #73 to be considered addressed.