Hi!
sajolida:
> The work on Tails Verification (the replacement of DAVE) and the new
> download page is almost done and it's work fine. Still, I got quite
> scared reading about the security implications postMessage:
>
> https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
Thanks for raising this issue specifically!
The doc says "Always specify an exact target origin, not *, when you use
postMessage to send data to other windows. A malicious site can change
the location of the window without your knowledge, and therefore it can
intercept the data sent using postMessage."
The code currently contains tons of "*" instead of a location.
Then:
"if you do expect to receive messages from other sites, always verify
the sender's identity using the origin and possibly source properties."
And:
"Having verified identity, however, you still should always verify the
syntax of the received message."
And later the doc says about using postMessage in extensions:
"The targetOrigin argument for a message sent to a window located at a
chrome: URL is currently misinterpreted such that the only value which
will result in a message being sent is "*". Since this value is unsafe
when the target window can be navigated elsewhere by a malicious site,
it is recommended that postMessage not be used to communicate with
chrome: pages for now; use a different method (such as a query string
when the window is opened) to communicate with chrome windows. "
I'm not an expert in such extensions, but I have the slight feeling that
there is some more work to be done here :)
Cheers!
u.
