Re: [Tails-dev] Security of postMessage between Tails Verifi…

Supprimer ce message

Répondre à ce message
Auteur: u
Date:  
À: tails-dev
Sujet: Re: [Tails-dev] Security of postMessage between Tails Verification and the download page
Hello,

intrigeri:
> sajolida:
>> The work on Tails Verification (the replacement of DAVE) and the new
>> download page is almost done and it's work fine. Still, I got quite
>> scared reading about the security implications postMessage:
>
>> https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage


>  - u: please tell me how deep you have already looked into the safety
>    of this aspect of the code, and if you did, explain why you think
>    the current code is safe;


I only did basic verifications of escaping inserted code and regexps as
well as what I've sent on the list - and what Uzair has now fixed, i.e.
replacing * by our URL. I ran the code through JSLint as well and
reported my findings in the public email "Review of verification extension".

And as said in private, I'd be glad if intrigeri could take a look from
more of a security pov.

Cheers!
u.