Better communicate Snow needs to be implemented in all pages (#135)

LavaMoat · Aug 3, 2023 · 3f4a5aa · 3f4a5aa
1 parent 952fb5f
commit 3f4a5aa
Showing 1 changed file with 15 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -99,18 +99,24 @@ install `snow` in the website, simply place it wherever and serve it to the webs
 After this line, window should expose `window.SNOW` API for the
 rest of the scripts in the website to use.
 
-Not like standard third party libraries, `snow` has special requirements (security-wise)
-in order for it to play its role securely.
+Not like standard third party libraries, `snow` has special requirements (security-wise) in order for it to play its role securely.
 
-1. **It has to run as the first piece of javascript
-   that runs in the webpage** - otherwise any other javascript code will have the ability to
-   bypass `snow` and cancel its purpose completely (that's why `snow` can never overpower
-   extensions). In order to achieve that, when loading via a script tag it must load script 
-   synchronously (do not use `async=true`!).
+> **👇 It is highly important to be aware of them when integrating Snow into an app to gain full security - READ CAREFULLY 👇:**
 
-3. **It has to be served as-is** - If it goes through any bundlers that might change it,
+1. **It has to run as the first piece of javascript that runs in the webpage** - otherwise any
+   other javascript code will have the ability to bypass `snow` and cancel 
+   its purpose completely (that's why `snow` can never overpower extensions).
+   In order to achieve that, when loading via a script tag it must load script synchronously (do not use `async=true`!).
+
+2. **It has to be served as-is** - If it goes through any bundlers that might change it,
    the modified version might contain flaws that attackers might use to cancel its effect (for further
-   explanation see [natives](https://github.com/lavamoat/snow/wiki/Introducing-Snow#natives) section). 
+   explanation see [natives](https://github.com/lavamoat/snow/wiki/Introducing-Snow#natives) section).
+
+3. **Snow needs to be set and called in every HTML page served from your web app** - Even though this is the attack vector
+   Snow tries to protect the app against, there are types of attacks Snow won't be able to defend against (which is why
+   we want Snow to become a native browser feature so bad!). This mainly refers to the [#73 discovery](https://github.com/LavaMoat/snow/issues/73).
+   The only way to defend the app against such an attack it to make sure all HTML files served by the app load Snow themselves.
+   Does this make Snow useless? No - there are planty other types of attacks Snow defends your app against.
 
 4. **Most importantly, it's highly vulnerable without minimal help from CSP** - As of version 2.0.1 the project will
    seize to attempt to defend against vulnerabilities that aren't possible to exploit when