Re: [Tails-dev] Security of postMessage between Tails Verifi…

Supprimer ce message

Répondre à ce message
Auteur: intrigeri
Date:  
À: The Tails public development discussion list, Uzair Farooq
Sujet: Re: [Tails-dev] Security of postMessage between Tails Verification and the download page
Hi,

sajolida:
> The work on Tails Verification (the replacement of DAVE) and the new
> download page is almost done and it's work fine. Still, I got quite
> scared reading about the security implications postMessage:


> https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage


Indeed.

> Uzair wrote the code and u already reviewed it but I'd like to have
> someone else telling me that this is fine and that only the extension
> can send a "verification-success" message to the download page.


I'm up to taking a good look at it; I'll probably need to ask help from more
skilled people.

But if I did this with the info I have currently, I would probably
duplicate quite some work already done by Uzair and/or u. IMO it's the
developers and/or reviewers' job to make such audits easy by
documenting their reasoning, especially in highly sensitive code that
uses features explicitly documented as dangerous. So:

- Uzair: please document your reasoning to explain why you think the
current code is safe;

- u: please tell me how deep you have already looked into the safety
of this aspect of the code, and if you did, explain why you think
the current code is safe;

- sajolida: what timeline would be suitable for you to get an answer
to your question?

Cheers,
--
intrigeri