[Tails-dev] Security of postMessage between Tails Verificati…

This message is part of the following thread:
M-\the complete thread tree sorted by date
M\M 
MMu at ->
Delete this message

Reply to this message
Author: sajolida
Date:  
To: The Tails public development discussion list, Uzair Farooq
Subject: [Tails-dev] Security of postMessage between Tails Verification and the download page
Hi,

The work on Tails Verification (the replacement of DAVE) and the new
download page is almost done and it's work fine. Still, I got quite
scared reading about the security implications postMessage:

https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage

Uzair wrote the code and u already reviewed it but I'd like to have
someone else telling me that this is fine and that only the extension
can send a "verification-success" message to the download page.

The JavaScript in the download page:

https://git-tails.immerda.ch/tails/tree/wiki/src/install/inc/js/dave_2.js

The code of the Tails Verification extension:

https://github.com/usman-subhani/verification-extension/blob/master/src/scripts/contentscript/verify.js

This message was posted to the following mailing lists:
tails-dev
Mailing List Info | Nearby Messages		<-Re: [Tails-dev] Verification extension [was: HTML prototype for new download page]Re: [Tails-dev] VeraCrypt/TrueCrypt support in GNOME Disks->
lists.autistici.org administrated by postmasterLurker (version 2.3)