Snow stops playing nice - security first at the cost of everything else

.github/workflows/main.yml

@@ -1,9 +1,11 @@
-name: CI
-on: [push, pull_request]
+name: Tests
+on: [pull_request]
 
 jobs:
-  test:
-    name: Tests
+  test-with-csp:
+    env:
+      CSP: '1'
+    name: +CSP
     runs-on: macos-latest
     strategy:
       matrix:
@@ -23,3 +25,26 @@ jobs:
         run: yarn build-test-firefox
       - name: Test Safari
         run: yarn build-test-safari
+  test-without-csp:
+    env:
+      CSP: '0'
+    name: -CSP
+    runs-on: macos-latest
+    strategy:
+      matrix:
+        node-version: [18.x]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v1
+        with:
+          node-version: ${{ matrix.node-version }}
+      - name: Install Dependencies
+        run: yarn
+      - name: Test Chrome
+        run: yarn build-test-chrome
+      - name: Test FireFox
+        run: yarn build-test-firefox
+      - name: Test Safari
+        run: yarn build-test-safari

README.md

@@ -43,10 +43,13 @@ to **non extension javascript with the same privileges as the web app**.
 
 ## 🚨 IMPORTANT UPDATE 🚨
 
-Starting Version [2.0.0](https://github.com/LavaMoat/snow/pull/76) Snow officially doesn't support vulnerabilities that
+Starting Version [2.0.1](https://github.com/LavaMoat/snow/pull/134) Snow officially doesn't support vulnerabilities that
 can be protected against by disallowing `unsafe-inline` completely and by correctly using the `object-src` directive to not allow `self`.
+* To learn more why is that, see [section 3](#install).
 
-To learn more why is that, see [section 3](#install).
+In addition, Snow ["stops playing nice"](https://github.com/LavaMoat/snow/pull/133) - operations that are considered insecure will be intercepted and cause Snow to throw an exception.
+This is part of the realization we reached as part of the work on Snow, where "nice security" leaves Snow vulnerable, and true security can only be shipped with a more "aggresive" approach.
+* To learn more why is that, see [#133](https://github.com/LavaMoat/snow/pull/133).
 
 ## [Demo](https://lavamoat.github.io/snow/demo/#self-xss-challenge-msg) - The Snow Challenge! 🏆
 
@@ -105,17 +108,17 @@ in order for it to play its role securely.
    extensions). In order to achieve that, when loading via a script tag it must load script 
    synchronously (do not use `async=true`!).
 
-2. **It's better to be served as-is** - If it goes through any bundlers that might change it,
+3. **It has to be served as-is** - If it goes through any bundlers that might change it,
    the modified version might contain flaws that attackers might use to cancel its effect (for further
    explanation see [natives](https://github.com/lavamoat/snow/wiki/Introducing-Snow#natives) section). 
 
-3. **Most importantly, it's highly vulnerable without minimal help from CSP** - As of version 2.0.0 the project will
+4. **Most importantly, it's highly vulnerable without minimal help from CSP** - As of version 2.0.1 the project will
    seize to attempt to defend against vulnerabilities that aren't possible to exploit when 
    (a) `unsafe-inline` isn't allowed and (b) `object-src` to `self` isn't allowed.
    This is because (a) defending against string-JS attacks is basically an endless task and probably impossible, and
    (b) `object`/`embed` elements behaviour is also too unpredictable while these elements shouldn't be even used in the
    first place. Snow will do its best regardless of what CSP is applied - **use at your own risk!** 
-   1. please learn more about this ☝️ at [#118](https://github.com/LavaMoat/snow/pull/118/)
+   * please learn more about this ☝️ at [#118](https://github.com/LavaMoat/snow/pull/118/) & [#133](https://github.com/LavaMoat/snow/pull/133/)
 
 
 `SNOW` API can also be required as part of a bundle instead of a script tag:

chrome.wdio.conf.js

@@ -1,6 +1,5 @@
 global.BROWSER = 'CHROME';
 exports.config = {
-    automationProtocol: 'devtools',
     //
     // ====================
     // Runner Configuration
@@ -65,7 +64,6 @@ exports.config = {
         'goog:chromeOptions': {
             args: [
                 '--headless',
-                '-auto-open-devtools-for-tabs',
                 'disable-gpu',
                 '--enable-features=DocumentPictureInPictureAPI'
             ],

demo/index.html

@@ -23,6 +23,7 @@
                     }
                 }
             } else {
+                location.search.includes('disable_csp') ||
                 document.write(`<meta http-equiv="Content-Security-Policy" content="script-src 'self' blob:; object-src 'none';">`);
             }
         </script>
@@ -180,6 +181,6 @@ <h3><i>~ Can you bypass Snow?</i></h3>
             Invented and developed by <a href="https://weizmangal.com/">Gal Weizman 👋🏻</a>
         </blockquote>
 
-        <script src="./util.js"></script>
+        <script src="util.js"></script>
     </body>
 </html>

demo/util.js

@@ -11,7 +11,7 @@ function run(js) {
 }
 
 (function(){
-    location.search.includes('disable') || SNOW((win) => {
+    location.search.includes('disable_snow') || SNOW((win) => {
         win.alert = (msg) => {
             console.log('Snow: ', 'alert API is disabled, message is printed to console instead: ', msg);
         }

firefox.wdio.conf.js

@@ -64,7 +64,7 @@ exports.config = {
         'moz:firefoxOptions': {
             args: [
                 '--headless',
-                'disable-gpu',
+                'disable-gpu'
             ],
         },
         acceptInsecureCerts: true

package.json

@@ -6,20 +6,21 @@
   "devDependencies": {
     "@babel/core": "^7.13.15",
     "@babel/preset-env": "^7.13.15",
-    "@wdio/cli": "^8.12.2",
-    "@wdio/local-runner": "^8.12.1",
-    "@wdio/mocha-framework": "^8.12.1",
-    "@wdio/spec-reporter": "^8.12.2",
+    "@wdio/cli": "^7.5.3",
+    "@wdio/local-runner": "^7.5.5",
+    "@wdio/mocha-framework": "^7.5.3",
+    "@wdio/spec-reporter": "^7.5.3",
     "babel-loader": "^8.2.2",
-    "chromedriver": "^113.0.0",
+    "chromedriver": "^114.0.0",
     "geckodriver": "^3.2.0",
-    "wdio-chromedriver-service": "^8.1.1",
+    "wdio-chromedriver-service": "7.0.0",
     "wdio-safaridriver-service": "^2.0.0",
     "wdio-geckodriver-service": "^4.0.0",
     "webpack": "^5.33.2",
     "webpack-cli": "^4.6.0"
   },
   "scripts": {
+    "demo": "npx serve .",
     "use-strict-dev": "node -p 'fs.writeFileSync(`snow.js`, `(function(){\n\"use strict\";\nif (typeof SNOW === \"function\") return;\n` + fs.readFileSync(`snow.js`)+ `\n}())`) , `successfully wrapped snow.js with use-strict scope`'",
     "use-strict-prod": "node -p 'fs.writeFileSync(`snow.prod.js`, `(function(){\"use strict\";if (typeof SNOW === \"function\") return;` + fs.readFileSync(`snow.prod.js`)+ `}())`) , `successfully wrapped snow.prod.js with use-strict scope`'",
     "build-dev": "webpack --config ./webpack.config.js && yarn use-strict-dev",