Uzair Farooq:
> Here are my findings:
>
> 1. Our extension script is only injected in https://tails.boum.org, so
> unless there's an iframe on the download page there's no way for any
> other hosts to receive message from our extension. Nevertheless, I've
> changed the target from'*' to 'https://tails.boum.org' to be more safe.
>
> 2. On receiving end we have a check to verify that the source 'window'
> object of the message is same as the 'window' object of the current page
> which essentially means that the site will always reject messages from
> any other page. Nevertheless, I've added an additional check to verify
> that the source of the message is 'https://tails.boum.org'
>
> 3. We have checks in place to verify format/data of the messages passed.
>
> Other than that I don't think there's anything else to be worried
> regarding security.
Thanks for the detailed explanation!
I tested this new version and it works!
I released it for Firefox but not for Chrome.
I tried to modify the check on both sides of the message communication
(postMessage on the extension and receiveMessage on the web page) and I
get errors from Firefox on the console.
For example, to be able to test the extension locally I know have to
patch the code of both the extension and the website (73899ef).
> One thing I want to mention here is that all these
> checks are to prevent attempts from other sites/pages but if user has a
> malicious extension installed, it can easily fake/intercept things
Yeap. We already detected that in our initial threat modeling analysis.
Search "(F)" in:
https://tails.boum.org/blueprint/bootstrapping/extension/