Better communicate Snow needs to be implemented in all pages

[weizman]

CTX #109 (comment):

What would also help is if we communicate the importance of implementing Snow in all same origin pages, this should help with issues such as #73

CTX 2 #73 (comment):

#128 fixes some problems from #124, bringing us closer to a solution for this problem.
Next step would be to address #122, so that it's clear for the users what they need to do to protect themselves fully against #73

Bottom line:

Past PRs make it so that exploiting #73 isn't possible if ONE of the following TWO conditions is met:

1. Snow is correctly implemented in ALL same origin HTML pages served by the server (including 404 and such).
   • Harden Snow iframes clashing and protection #128 is designed so that calling Snow is only necessary in the top main realm, you just need to include the bundle in all pages (or call Snow in all pages too, either way is fine)
2. Pages correctly allow frame-src CSP only to same-origin or well trusted origins. allowing untrusted cross origin iframes allows Snow can be bypassed with ...data: URI #73 to exist when condition (1) isn't met.
   • Note: is that true when taking open() into consideration too? Need to research...

This ⬆️ needs to be correctly communicated for #73 to be considered addressed.

[weizman]

#135 solves this mainly by communicating section 1 (section 2 however is less relevant actually)