The idea is to tell opened windows (such as tabs) from child windows (such as iframes), because opened windows have their own top.
Consider a few scenarios:
Normal single app load
App loads
Snow attempts to apply first protection (to top)
Trying to set mark
No mark
Mark and protect
Marked
Since this is a top window, warn user that the page is probably compromised and bail on protection - this really should never happen, only if something malicious ran before SNOW
App load + iframe
App loads
Snow protects top
Attacker opens iframe
Trying to set mark
No mark
Mark and protect
Marked
Since this is NOT a top window, apply infinite loop and DoS page because only attacker can cause this
Snow instance in iframe loads
Snow protection is called
Since window is not top, Snow bails
Safe because top already protected iframe when created
PROBLEM TO FIX: If some inner page applies different Snow protection than upper page, it will be ignored by Snow!
ALSO: Is this problem relevant to next scenario as well?
App load + open window
App loads
Snow protects top
Attacker opens tab
Trying to set mark
No mark
Mark and protect
Marked
Since this is a top window, but it is also being protected by opener Snow, tell user Snow bails and that it's ok
Snow instance in opened tab loads
Snow protection is called
Trying to set mark
No mark
Mark and protect
Marked
Will fail to set mark because opener already marked
Since window is in fact a top, bail on mark attempt, we trust opener has set protection
Attempt to fix #81.
The idea is to tell opened windows (such as tabs) from child windows (such as iframes), because opened windows have their own top.
Consider a few scenarios:
Normal single app load
App load + iframe
App load + open window