{"id":13746092,"url":"https://github.com/lavamoat/snow","last_synced_at":"2026-01-20T17:59:15.423Z","repository":{"id":45974100,"uuid":"497961481","full_name":"LavaMoat/snow","owner":"LavaMoat","description":"Use Snow to finally secure your web app's same origin realms!","archived":false,"fork":false,"pushed_at":"2025-04-08T11:39:43.000Z","size":483,"stargazers_count":108,"open_issues_count":24,"forks_count":9,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-04-08T12:34:46.586Z","etag":null,"topics":["iframe","javascript","realms","security"],"latest_commit_sha":null,"homepage":"https://lavamoat.github.io/snow/demo/","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/LavaMoat.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-05-30T13:45:29.000Z","updated_at":"2025-03-05T21:32:06.000Z","dependencies_parsed_at":"2023-11-15T22:32:24.282Z","dependency_job_id":"5fb0e5c7-5a49-47be-a0a8-c665017a2704","html_url":"https://github.com/LavaMoat/snow","commit_stats":{"total_commits":91,"total_committers":2,"mean_commits":45.5,"dds":0.01098901098901095,"last_synced_commit":"b8225c880231ebe0ecac4591b2f4840bc3fea08a"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LavaMoat%2Fsnow","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LavaMoat%2Fsnow/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LavaMoat%2Fsnow/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LavaMoat%2Fsnow/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/LavaMoat","download_url":"https://codeload.github.com/LavaMoat/snow/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253206069,"owners_count":21871158,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["iframe","javascript","realms","security"],"created_at":"2024-08-03T06:00:46.565Z","updated_at":"2026-01-20T17:59:15.386Z","avatar_url":"https://github.com/LavaMoat.png","language":"JavaScript","funding_links":[],"categories":["Realms(/iFrames) Security"],"sub_categories":["Tools"],"readme":"\u003cdiv align=\"center\"\u003e\n    \u003ch1\u003e Snow JS ❄️ \u003c/h1\u003e\n    \u003ci\u003e ~ \u003cb\u003eS\u003c/b\u003eecuring \u003cb\u003eN\u003c/b\u003eested \u003cb\u003eO\u003c/b\u003ewnership of \u003cb\u003eW\u003c/b\u003eindows ~ \u003c/i\u003e\n    \u003cbr/\u003e\u003cbr/\u003e\n    \u003cimg src=\"https://img.shields.io/npm/v/@lavamoat/snow\"/\u003e\n    \u003cimg src=\"https://img.shields.io/bundlephobia/min/@lavamoat/snow\"/\u003e\n    \u003cimg src=\"https://badges.frapsoft.com/javascript/code/javascript.svg?v=101\" width=\"113\"\u003e\n    \u003cimg src=\"https://img.shields.io/npm/dw/@lavamoat/snow\"/\u003e\n    \u003cimg src=\"https://img.shields.io/github/license/lavamoat/snow\"/\u003e\n    \u003cbr/\u003e\u003cbr/\u003e\n    \u003ci\u003e / Keeping an 👀 on these \u003ccode\u003e\u003ciframe\u003e\u003c/code\u003es for ya! / \u003c/i\u003e\n    \u003cbr/\u003e\u003cbr/\u003e\n\u003c/div\u003e\n\n\u003e _Snow is the **most advanced** open sourced tool for securing same origin realms in runtime browser apps - **secured** and **easy to use**:_\n\n* Include Snow in your web app's loading html file (or by [requiring it as a module](#Install)):\n```html\n\u003cscript src=\"https://unpkg.com/@lavamoat/snow/snow.prod.js\"\u003e\u003c/script\u003e\n```\n* Pass Snow a callback and Snow will invoke it with **every** new window object in runtime!\n```javascript\nSNOW( win =\u003e console.log('New window detected:', win) )\n```\n\n\u003cdiv align=\"center\"\u003e\n\u003cimg width=\"750\" alt=\"❄️SNOW❄️\" src=\"https://user-images.githubusercontent.com/13243797/219565727-12f00654-a709-4a39-87fc-5a60f643b308.png\"\u003e\n\u003cbr\u003e\u003cbr\u003e\n\u003ci\u003e Snow aspires to standardize how to recursively and \u003cb\u003e securely own newborn windows \u003c/b\u003e (aka iframes/realms) \u003cbr\u003e within a browser web app, \n\u003cb\u003e from the context of the app itself \u003c/b\u003e. \u003c/i\u003e\n\u003c/div\u003e\n\n## About\n\nSnow is an experimental ⚠️ tool coming in the form of a **JavaScript shim** that once is applied to the page exposes an API that when is \nprovided with a callback, will make sure to call it with **every new window** that is being \ninjected to DOM, **before** its creator gets a hold on it.\n\nThis ability exists for extensions (with the `all_frames: true` property), but `Snow` brings it\nto **non extension javascript with the same privileges as the web app**.\n    \n\u003e _Read more about Snow and the motivation behind it [here](https://github.com/lavamoat/snow/wiki/Introducing-Snow)_\n\n## 🚨 IMPORTANT UPDATE 🚨\n\nStarting Version [2.0.1](https://github.com/LavaMoat/snow/pull/134) Snow officially doesn't support vulnerabilities that\ncan be protected against by disallowing `unsafe-inline` completely and by correctly using the `object-src` directive to not allow `self`.\n* To learn more why is that, see [section 4](#install).\n\nIn addition, Snow [\"stops playing nice\"](https://github.com/LavaMoat/snow/pull/133) - operations that are considered insecure will be intercepted and cause Snow to throw an exception.\nThis is part of the realization we reached as part of the work on Snow, where \"nice security\" leaves Snow vulnerable, and true security can only be shipped with a more \"aggresive\" approach.\n* To learn more why is that, see [#133](https://github.com/LavaMoat/snow/pull/133).\n\n## [Demo](https://lavamoat.github.io/snow/demo/#self-xss-challenge-msg) - The Snow Challenge! 🏆\n\n\u003cdiv align=\"center\"\u003e\n\u003cimg width=\"759\" alt=\"Screenshot 2023-02-25 at 19 54 33\" src=\"https://user-images.githubusercontent.com/13243797/221372185-eaeea815-b693-43bf-a371-6375ce8e0e8b.png\"\u003e\n\u003c/div\u003e\n\u003cbr\u003e\n\nSnow's challenge is the easiest way to **graspe the power of Snow.** \n\nHere we have a serverless [demo app](https://lavamoat.github.io/snow/demo/#self-xss-challenge-msg), which installs and **uses Snow to disable the functionality of the `alert` function** for all same origin realms.\n    \nIn other words, the app uses Snow to make sure **no one can call the `alert` function**, not even when:\n* Trying to create an `\u003ciframe\u003e` and use its inner window's `alert`;\n* Trying to call the `alert` function from the console (even self-XSS won't help you!);\n* Trying to open a new tab and use its `alert`.\n    \nHence, the rulls are very simple - **visit the [app](https://lavamoat.github.io/snow/demo/) and pop an alert! 😉**\n    \nIf you manage to bypass Snow and pop an alert message - **help us** by opening an issue so we could continue to **improve Snow's security**!\n    \n## Usage\n\n```javascript\n// API\nSNOW(cb = (win) =\u003e { /* LOGIC */ });\n\n\n// example, disable alert API in the webpage completely\nSNOW((win) =\u003e {\n    win.alert = (msg) =\u003e {\n        console.log('alert is disabled! msg is: ' + msg);\n    };\n});\n```\n\n## Install\n\nThe latest `snow` [production version](https://raw.githubusercontent.com/lavamoat/snow/main/snow.prod.js) is included in the official repo\nand also in [upkg cdn](https://unpkg.com/@lavamoat/snow/snow.prod.js), so in order to\ninstall `snow` in the website, simply place it wherever and serve it to the website as-is:\n\n```html\n\u003cscript src=\"https://unpkg.com/@lavamoat/snow/snow.prod.js\"\u003e\u003c/script\u003e\n```\n\nAfter this line, window should expose `window.SNOW` API for the\nrest of the scripts in the website to use.\n\nNot like standard third party libraries, `snow` has special requirements (security-wise) in order for it to play its role securely.\n\n\u003e **👇 It is highly important to be aware of them when integrating Snow into an app to gain full security - READ CAREFULLY 👇:**\n\n1. **It has to run as the first piece of javascript that runs in the webpage** - otherwise any\n   other javascript code will have the ability to bypass `snow` and cancel \n   its purpose completely (that's why `snow` can never overpower extensions).\n   In order to achieve that, when loading via a script tag it must load script synchronously (do not use `async=true`!).\n\n2. **It has to be served as-is** - If it goes through any bundlers that might change it,\n   the modified version might contain flaws that attackers might use to cancel its effect (for further\n   explanation see [natives](https://github.com/lavamoat/snow/wiki/Introducing-Snow#natives) section).\n\n3. **Snow needs to be set and called in every HTML page served from your web app** - Even though this is the attack vector\n   Snow tries to protect the app against, there are types of attacks Snow won't be able to defend against (which is why\n   we want Snow to become a native browser feature so bad!). This mainly refers to the [#73 discovery](https://github.com/LavaMoat/snow/issues/73).\n   The only way to defend the app against such an attack it to make sure all HTML files served by the app load Snow themselves.\n   Does this make Snow useless? No - there are planty other types of attacks Snow defends your app against.\n\n4. **Most importantly, it's highly vulnerable without minimal help from CSP** - As of version 2.0.1 the project will\n   seize to attempt to defend against vulnerabilities that aren't possible to exploit when \n   (a) `unsafe-inline` isn't allowed and (b) `object-src` to `self` isn't allowed.\n   This is because (a) defending against string-JS attacks is basically an endless task and probably impossible, and\n   (b) `object`/`embed` elements behaviour is also too unpredictable while these elements shouldn't be even used in the\n   first place. Snow will do its best regardless of what CSP is applied - **use at your own risk!** \n   * please learn more about this ☝️ at [#118](https://github.com/LavaMoat/snow/pull/118/) \u0026 [#133](https://github.com/LavaMoat/snow/pull/133/)\n\n\n`SNOW` API can also be required as part of a bundle instead of a script tag:\n\n```\nyarn add @lavamoat/snow\n```\n\n```javascript\nconst snow = require('@lavamoat/snow');\n```\n\n## Contribute\n\nThis project is an important POC aspiring to standardize how windows should be hermetically\nhandled, however it is not yet production ready.\n\n`snow` eventually is a shim that comes to both demonstrate and utilize the API we wish to see builtin to browsers in the future. \nUntil `snow` becomes a platform builtin API, we have to attempt to overcome several challenges that are significantly harder to do so in pure javascript:\n\n### Support\n\n`snow` supports Chrome, Firefox, Safari and all other Chromium based browsers (Opera, Edge, Brave, etc).\n\n### Performance\n\nAchieving a hermetic solution costs in performance. Injecting this script into some major\nwebsites went smoothly while with some others it caused them some performance issues.\n\n### Security\n\nAlthough this project takes the hermetic concept very seriously and massively tests for\npotential flaws, `snow` might potentially still have flaws which might enable attackers\nto bypass its hooks.\n\nBottom line - `snow` might have security vulnerabilities!\n\nHopefully in the future `snow` will become a builtin API provided by the browser. \nAchieving that goal will allow security assurance - such functionality will be safer to implement \non behalf of the browser rather than the web app.\n\n### Tests\n\nIn order to assure security, there are many tests that verify that `snow`\nis fully hermetic as promised - everything that `snow` supports is fully tested.\n\nThe tests mainly try to bypass `snow` in any possible way.\n\nIf you found a vulnerability in `snow`, open a PR with a test that demonstrates it (or just let us know, and we'll do it).\n\n### Help\n\nHelp with promoting any of the topics above is very much appreciated in order for this project\nto become production ready and reshape how hermetic window hooking should look like!\n\n## Troubleshooting\n\nIn [log.js](https://github.com/LavaMoat/snow/blob/main/src/log.js) file you can find references\nto issues you might encounter using snow. \nIf you do, you should see an error/warning thrown to console in your application with a reference\nto the relevant issue thread.\n\nIn each thread a discussion around the issue is being made in order to better solve it, so please\nshare your experience with the issue in order for us to solve it in the best way possible.\n\nIf you encounter an issue that is not being handled by snow correctly, please open a new one.\n\n## Supporters\n\nFunded by [Consensys 💙](https://github.com/consensys)\n\nMaintained and developed by [MetaMask 🦊](https://github.com/MetaMask)\n    \nPart of the [LavaMoat 🌋](https://github.com/LavaMoat) Javascript security toolbox\n\nInvented and developed by [Gal Weizman 👋🏻](https://weizmangal.com/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flavamoat%2Fsnow","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flavamoat%2Fsnow","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flavamoat%2Fsnow/lists"}