Skip to content

Is Snow useless without CSP? #109

New issue
New issue
Closed
Closed
Is Snow useless without CSP?#109
Labels
documentationImprovements or additions to documentationenhancementNew feature or requesthelp wantedExtra attention is needed
@weizman

Description

@weizman
weizman
opened on Jun 22, 2023

I'm lately coming to the realization that Snow cannot protect same origin realms completely and will need some help from CSP.
I'd like to start an initiative around encouraging users to remember to use Snow while implementing some baseline of CSP. This creates a few tasks:

  1. Research and understand what are the things and what is the spectrum Snow won't be able to defend against
  2. Come up with a CSP that is as permissive as possible while as helping to Snow with protection as possible
  3. Make it clear in documentation that this level of CSP is needed, explain it and break down the different directives
  4. Create a hardened version of the demo that applies the CSP, so that we'll be able to differentiate Snow vulns that bypass both Snow and CSP or just Snow

This is important for the future of Snow because it's probably close to useless without CSP since there are some techniques Snow cannot defend against (unfortunately).

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentationenhancementNew feature or requesthelp wantedExtra attention is needed

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions