npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@weizman/snow

v1.2.1

Published

standardize how to recursively own newborn windows within a web app, from the context of the app itself

Downloads

24

Readme

Snow ❄️

Securing Nested Ownership of Windows

Snow aspires to standardize how to recursively own newborn windows (aka iframes/realms) within a browser web app, from the context of the app itself, and ideally to achieve that goal as a browser builtin API in the future.

Until then, it comes in the form of a shim that once applied to the page exposes an API that when is provided with a callback, will make sure to call it with every new window that is being injected to DOM, before its creator gets a hold on it.

This ability exists for extensions (with the all_frames: true property), but Snow brings it to non extension javascript with the same privileges as the web app.

  • Test Snow for yourself with this live demo!
  • Learn more about the motivation behind Snow and why it should be a browser builtin API
  • Snow is still experimental ⚠️ - your help is highly appreciated!

Usage

// API
window.SNOW(cb = (win) => {}, win = window);


// example, disable alert API in the webpage completely
window.SNOW((win) => {
    win.alert = (msg) => {
        console.log('alert is disabled! msg is: ' + msg);
    };
});

Install

The latest snow production version is included in the official repo and also in upkg cdn, so in order to install snow in the website, simply place it wherever and serve it to the website as-is:

<script src="https://unpkg.com/@weizman/snow/snow.prod.js"></script>

After this line, window should expose window.SNOW API for the rest of the scripts in the website to use.

Not like standard third party libraries, snow has special requirements (security-wise) in order for it to play its role securely.

  1. It has to run as the first piece of javascript that runs in the webpage - otherwise any other javascript code will have the ability to bypass snow and cancel its purpose completely (that's why snow can never overpower extensions). In order to achieve that, when loading via a script tag it must load script synchronously (do not use async=true!).

  2. It's better to be served as-is - If it goes through any bundlers that might change it, the modified version might contain flaws that attackers might use to cancel its effect (for further explanation see natives section).

SNOW API can also be required as part of a bundle instead of a script tag:

yarn add @weizman/snow
const snow = require('@weizman/snow');

Contribute

This project is an important POC aspiring to standardize how windows should be hermetically handled, however it is not yet production ready.

snow eventually is a shim that comes to both demonstrate and utilize the API we wish to see builtin to browsers in the future. Until snow becomes a platform builtin API, we have to attempt to overcome several challenges that are significantly harder to do so in pure javascript:

Support

Currently snow is written to support chromium based browsers only, it was never tested on anything else.

Performance

Achieving an hermetic solution costs in performance. Injecting this script into some major websites went smoothly while with some others it caused them some performance issues.

Security

Although this project takes the hermetic concept very seriously and massively tests for potential flaws, snow might potentially still have flaws which might enable attackers to bypass its hooks.

Bottom line - snow might have security vulnerabilities!

Hopefully in the future snow will become a builtin API provided by the browser. Achieving that goal will allow security assurance - such functionality will be safer to implement on behalf of the browser rather than the web app.

Tests

In order to assure security, there are many tests that verify that snow is fully hermetic as promised - everything that snow supports is fully tested.

The tests mainly try to bypass snow in any possible way.

If you found a vulnerability in snow, open a PR with a test that demonstrates it (or just let us know, and we'll do it).

Help

Help with promoting any of the topics above is very much appreciated in order for this project to become production ready and reshape how hermetic window hooking should look like!

Troubleshooting

In log.js file you can find references to issues you might encounter using snow. If you do, you should see an error/warning thrown to console in your application with a reference to the relevant issue thread.

In each thread a discussion around the issue is being made in order to better solve it, so please share your experience with the issue in order for us to solve it in the best way possible.

If you encounter an issue that is not being handled by snow correctly, please open a new one.

Supporters

Funded by Consensys 💙

Maintained and developed by MetaMask 🦊

Invented and developed by Gal Weizman 👋🏻

Runs on Securely 🔒