[Tails-dev] Security of postMessage between Tails Verificati…

Nachricht löschen

Nachricht beantworten
Autor: sajolida
Datum:  
To: The Tails public development discussion list, Uzair Farooq
Betreff: [Tails-dev] Security of postMessage between Tails Verification and the download page
Hi,

The work on Tails Verification (the replacement of DAVE) and the new
download page is almost done and it's work fine. Still, I got quite
scared reading about the security implications postMessage:

https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage

Uzair wrote the code and u already reviewed it but I'd like to have
someone else telling me that this is fine and that only the extension
can send a "verification-success" message to the download page.

The JavaScript in the download page:

https://git-tails.immerda.ch/tails/tree/wiki/src/install/inc/js/dave_2.js

The code of the Tails Verification extension:

https://github.com/usman-subhani/verification-extension/blob/master/src/scripts/contentscript/verify.js