Here are my findings:
1. Our extension script is only injected in
https://tails.boum.org, so
unless there's an iframe on the download page there's no way for any other
hosts to receive message from our extension. Nevertheless, I've changed the
target from'*' to '
https://tails.boum.org' to be more safe.
2. On receiving end we have a check to verify that the source 'window'
object of the message is same as the 'window' object of the current page
which essentially means that the site will always reject messages from any
other page. Nevertheless, I've added an additional check to verify that the
source of the message is '
https://tails.boum.org'
3. We have checks in place to verify format/data of the messages passed.
Other than that I don't think there's anything else to be worried regarding
security. One thing I want to mention here is that all these checks are to
prevent attempts from other sites/pages but if user has a malicious
extension installed, it can easily fake/intercept things.
On Tue, Nov 21, 2017 at 3:46 AM, sajolida <sajolida@???> wrote:
> intrigeri:
> > sajolida:
> >> The work on Tails Verification (the replacement of DAVE) and the new
> >> download page is almost done and it's work fine. Still, I got quite
> >> scared reading about the security implications postMessage:
> >
> >> https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
> >
> > Indeed.
> >
> >> Uzair wrote the code and u already reviewed it but I'd like to have
> >> someone else telling me that this is fine and that only the extension
> >> can send a "verification-success" message to the download page.
> >
> > I'm up to taking a good look at it; I'll probably need to ask help from
> more
> > skilled people.
> >
> > But if I did this with the info I have currently, I would probably
> > duplicate quite some work already done by Uzair and/or u. IMO it's the
> > developers and/or reviewers' job to make such audits easy by
> > documenting their reasoning, especially in highly sensitive code that
> > uses features explicitly documented as dangerous. So:
> >
> > - Uzair: please document your reasoning to explain why you think the
> > current code is safe;
>
> Uzair: Ping on this. Can you explain us (we're quite profane in browser
> and JavaScript security) how the security of the messaging between the
> extension and the page is handled? (And of other security-sensitive
> aspect of your code that might be relevant if they are not commented
> enough in the code).
>
> > - u: please tell me how deep you have already looked into the safety
> > of this aspect of the code, and if you did, explain why you think
> > the current code is safe;
> >
> > - sajolida: what timeline would be suitable for you to get an answer
> > to your question?
>
> Firefox 57 has been released last Tuesday, and apart from this question
> and a first general sanity check on security, we could do a first
> release any time.
>
> But on the other hand people don't seem to complain so much about the
> lack of support for Firefox 57 until now :)
>
