Implement is-cross-origin internally so it doesn't throw

[weizman]

• is-cross-origin throws if received object isn't a window
• this apparently is possible (dom clobbering with indexes 😱)
• no reason for it to throw, just continue to next window in frames array
• in fact, no reason for this to be an external package at all, implement internally instead
  • making Snow a deps-free project 🎉

[weizman]

This allowed Snow bypass:

(function(){
    const ifr = document.createElement('iframe');
    const ifr2 = document.createElement('iframe');
    document.body.appendChild(ifr);
    const div = document.createElement('div');
    div.id='0';
    setTimeout(() => { ifr2.contentWindow.alert.call(top,1); }, 500);
    try { ifr.contentWindow.document.body.appendChild(div); } catch {}
    document.body.appendChild(ifr2);
}());

[weizman]

Update, #111 was not strong enough, the isWindow function could have been easily bypassed, e2cf42e introduces a hardening fix to that (instead of walking the frames array until there's nothing in there, walk it according to the length prop. That way we only walk through windows and not through windows + clobbered elements)