[Tails-dev] Security of postMessage between Tails Verificati…

Poista viesti

Vastaa
Lähettäjä: sajolida
Päiväys:  
Vastaanottaja: The Tails public development discussion list, Uzair Farooq
Aihe: [Tails-dev] Security of postMessage between Tails Verification and the download page
Hi,

The work on Tails Verification (the replacement of DAVE) and the new
download page is almost done and it's work fine. Still, I got quite
scared reading about the security implications postMessage:

https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage

Uzair wrote the code and u already reviewed it but I'd like to have
someone else telling me that this is fine and that only the extension
can send a "verification-success" message to the download page.

The JavaScript in the download page:

https://git-tails.immerda.ch/tails/tree/wiki/src/install/inc/js/dave_2.js

The code of the Tails Verification extension:

https://github.com/usman-subhani/verification-extension/blob/master/src/scripts/contentscript/verify.js