Full list of PRs and features introduced since last version (1.5.0) can be found at #76
Most important change to Snow was recognizing this task isn't doable without some CSP help
Which is why from this version forward Snow requires:
unsafe-inline to be forbidden
object-src to not allow same origin srcs
In order to introduce a higher level of security
Therefore, the demo app you know and love now enforces script-src 'self'; object-src 'none';
Your time is precious being highly talented figures, so I'd understand if you can't - but I invite you to give bypassing Snow another crack, with the hope that v2 is better secured.
Tagging former Snow security contributors @mmndaniel @arxenix @NDevTK @magicmac @rwaldron @benjamingr @naugtur @mhofman (thank you for your help so far ❤️ sorry if I forgot anyone)
Clarifications
Snow 2 solves all former issues (hopefully) which is why almost all of them are marked as "closed"
One issue that isn't fully addressed yet is #73 by @magicmac which is inertially more complicated and is being thought of @ #122
Snow 2 ❄️
unsafe-inline
to be forbiddenobject-src
to not allow same origin srcsscript-src 'self'; object-src 'none';
Your time is precious being highly talented figures, so I'd understand if you can't - but I invite you to give bypassing Snow another crack, with the hope that v2 is better secured.
Tagging former Snow security contributors @mmndaniel @arxenix @NDevTK @magicmac @rwaldron @benjamingr @naugtur @mhofman (thank you for your help so far ❤️ sorry if I forgot anyone)
Clarifications