[Tails-dev] Security of postMessage between Tails Verificati…

Ce message fait partie du fil suivant :
M-\Arborescence complète du fil triée par date
M\M 
MMu à ->
Supprimer ce message

Répondre à ce message
Auteur: sajolida
Date:  
À: The Tails public development discussion list, Uzair Farooq
Sujet: [Tails-dev] Security of postMessage between Tails Verification and the download page
Hi,

The work on Tails Verification (the replacement of DAVE) and the new
download page is almost done and it's work fine. Still, I got quite
scared reading about the security implications postMessage:

https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage

Uzair wrote the code and u already reviewed it but I'd like to have
someone else telling me that this is fine and that only the extension
can send a "verification-success" message to the download page.

The JavaScript in the download page:

https://git-tails.immerda.ch/tails/tree/wiki/src/install/inc/js/dave_2.js

The code of the Tails Verification extension:

https://github.com/usman-subhani/verification-extension/blob/master/src/scripts/contentscript/verify.js

Ce message a été envoyé sur les listes de diffusion suivantes :
tails-dev
Informations sur la liste de diffusion | Messages voisins		<-Re: [Tails-dev] Verification extension [was: HTML prototype for new download page]Re: [Tails-dev] VeraCrypt/TrueCrypt support in GNOME Disks->
lists.autistici.org administré par postmasterLurker (version 2.3)