Can you bypass Snow 2? 🎉

[weizman]

This isn't really an issue, more of an invite to hack Snow again!

Snow 2 ❄️

• Snow 2 has been just released!
  • Full list of PRs and features introduced since last version (1.5.0) can be found at #76
• Most important change to Snow was recognizing this task isn't doable without some CSP help
  • Which is why from this version forward Snow requires:
    • unsafe-inline to be forbidden
    • object-src to not allow same origin srcs
  • In order to introduce a higher level of security
• Therefore, the demo app you know and love now enforces script-src 'self'; object-src 'none';

Your time is precious being highly talented figures, so I'd understand if you can't - but I invite you to give bypassing Snow another crack, with the hope that v2 is better secured.

Tagging former Snow security contributors @mmndaniel @arxenix @NDevTK @magicmac @rwaldron @benjamingr @naugtur @mhofman (thank you for your help so far ❤️ sorry if I forgot anyone)

Clarifications

1. Snow 2 solves all former issues (hopefully) which is why almost all of them are marked as "closed"
2. One issue that isn't fully addressed yet is #73 by @magicmac which is inertially more complicated and is being thought of @ #122

[weizman]

@benjamingr @ https://github.com/LavaMoat/snow/issues/129#issuecomment-1640046142

Found it, working on a fix

[weizman]

131 fixed, thank you @benjamingr 🙏

[weizman]

Snow 2 was a mistake #133