Can you bypass Snow 2? 🎉

[weizman]

This isn't really an issue, more of an invite to hack Snow again!

Snow 2 ❄️

• Snow 2 has been just released!
  • Full list of PRs and features introduced since last version (1.5.0) can be found at Release 2.0.0 #76
• Most important change to Snow was recognizing this task isn't doable without some CSP help
  • Which is why from this version forward Snow requires:
    • unsafe-inline to be forbidden
    • object-src to not allow same origin srcs
  • In order to introduce a higher level of security
• Therefore, the demo app you know and love now enforces script-src 'self'; object-src 'none';

Your time is precious being highly talented figures, so I'd understand if you can't - but I invite you to give bypassing Snow another crack, with the hope that v2 is better secured.

Tagging former Snow security contributors @mmndaniel @arxenix @NDevTK @magicmac @rwaldron @benjamingr @naugtur @mhofman (thank you for your help so far ❤️ sorry if I forgot anyone)

Clarifications

1. Snow 2 solves all former issues (hopefully) which is why almost all of them are marked as "closed"
2. One issue that isn't fully addressed yet is Snow can be bypassed with ...data: URI #73 by @magicmac which is inertially more complicated and is being thought of @ Better communicate Snow needs to be implemented in all pages #122

[weizman]

@benjamingr @ #129 (comment)

Found it, working on a fix

[weizman]

#131 fixed, thank you @benjamingr 🙏

[weizman]

Snow 2 was a mistake #133