Re: [Tails-dev] Review of verification-extension
> Hm, but if it's not needed, why don't we remove this piece of code? Can you try? Also make sure that the input we receive here can be trusted. I think it's meant to remove comments from the end of a line e.g. build-target: amd64 # some comments here This might be useful if you add some comments to the file in future. On Fri, Nov 24, 2017 at 1:49 PM, u wrote: > Hi, > > Uzair Farooq: > > >> - What kind of comments does this remove: > >>44 data = data.replace(/^[^'"]*#.*/gm, ''); // remove most comments > >>I don't see any in > >> https://tails.boum.org/install/v1/Tails/amd64/stable/latest.yml > > > > We copied it from old extension: > > https://git-tails.immerda.ch/ma1/download-and-verify- > extension/tree/tails-download-and-verify/lib/df.js > > Hm, but if it's not needed, why don't we remove this piece of code? Can > you try? Also make sure that the input we receive here can be trusted. > > Thanks for the other modifications :) > > u. > ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Security of postMessage between Tails Verification and the download page
Hey, 1. We have specified permission for https://tails.boum.org in manifest.json. So, even if a site passes the check, the script still won't be injected if haven't specified it in manifest.json. I've modified the check anyway. > 2. Looks good to me. Note that to review this security-wise, I had to go read the documentation of postMessage to check how exactly this argument is used (tl;dr: scheme, hostname, and port must all match for the event to be dispatched). How about adding a comment about it in the code? I've added comments. > Wrt. the sending aspect of the extension → tabs message passing, the extension would happily send messages to any page on our website, including world-editable ones. I *think* it's not a security problem but I lack knowledge to analyze this. I'm not sure what you are referring to by 'tabs message passing'. If you're talking about chrome extenion tabs.sendMessage api, that api can only be used to communicate within the extension, you can't communicate with web pages using that api. > Did I understand correctly that you're implying that when the message is sent by a contentscript shipped in a WebExtension (which is the case here), on the receiving end, the source & origin of the dispatched message are set according to the window that sent the message? This would make sense to me, and then your reasoning seems to work just fine, but I'd like to check, so: can you please point me to the corresponding documentation? Yeah, that's correct. The chrome extension content script are considered as normal site scripts but have access to some additional apis. If we use postMessage api from contentScript, it's just like we send a message from the website itself. So, it'll set the source to the window of the object of the site. Please see the source property in postMessage api https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage You can read more about content scripts here https://developer.chrome.com/extensions/content_scripts > In passing, I see that we're assuming the message data (once de-serialized) has an "action" member. If not, the receiving side will throw an exception. Thankfully this happens only after we've checked the identity of the sender so it's not scary. But perhaps you could check that event.data.action is a thing, and return otherwise, before using it? I'm not a JS developer so I don't know what the implications of throwing an exception there vs. returning are. Yeah, it'll throw exception and the exception won't have any other implication other than throwing an error in console. I modified the check a while back to check for the data property too. > I see no copyright/licensing info for the rest of the code. Please fix that. We usually use GPL-3+ and a collective copyright such as: > Copyright $YEAR, Tails developers > But you're free to retain your own copyright on the copyrightable code you wrote, of course :) I've added copy right notices to the files. Also added licensing info to the forge info. The source/version is already there in the forge lib. > If you copied code that was written by Giorgio Maone, then it must be licensed under a GPLv3-compatible license, and the corresponding copyright info must be kept. There's a small part of code that was copied from old extension but I don't see any licensing or copyright notice in the original repo. On Sat, Nov 25, 2017 at 6:44 PM, intrigeri wrote: > Hi, > > Disclaimer: I am a beginner at JavaScript, sorry for any irrelevant or > mistaken comment below. > > Uzair Farooq: > > 1. Our extension script is only injected in https://tails.boum.org, > > I'm not sure it's actually the case. My understanding of > scripts/background/background.js is that the extension script is > injected into: > > - any existing tab whose URL starts with "https://tails.boum.org/";; >this looks good to me; > > - any new or updated tab whose new URL contains the >"https://tails.boum.org"; string somewhere; if I got this right, >this means it's injected in e.g. in: > > https://tails.boum.orgx/ > https://example.com/https://tails.boum.org > >I believe this should be fixed by: > >1. looking for the "https://tails.boum.org/"; prefix instead of > "https://tails.boum.org"; >2. checking that this string is the prefix of the tab's URL, instead > of merely checking it's a substring, i.e. something like > tab.url.indexOf(matches) == 0 (instead of > -1) > > What do you think? > > > so > > unless there's an iframe on the download page there's no way for any > other > > hosts to receive message from our exte
Re: [Tails-dev] Security of postMessage between Tails Verification and the download page
Here are my findings: 1. Our extension script is only injected in https://tails.boum.org, so unless there's an iframe on the download page there's no way for any other hosts to receive message from our extension. Nevertheless, I've changed the target from'*' to 'https://tails.boum.org' to be more safe. 2. On receiving end we have a check to verify that the source 'window' object of the message is same as the 'window' object of the current page which essentially means that the site will always reject messages from any other page. Nevertheless, I've added an additional check to verify that the source of the message is 'https://tails.boum.org' 3. We have checks in place to verify format/data of the messages passed. Other than that I don't think there's anything else to be worried regarding security. One thing I want to mention here is that all these checks are to prevent attempts from other sites/pages but if user has a malicious extension installed, it can easily fake/intercept things. On Tue, Nov 21, 2017 at 3:46 AM, sajolida wrote: > intrigeri: > > sajolida: > >> The work on Tails Verification (the replacement of DAVE) and the new > >> download page is almost done and it's work fine. Still, I got quite > >> scared reading about the security implications postMessage: > > > >> https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage > > > > Indeed. > > > >> Uzair wrote the code and u already reviewed it but I'd like to have > >> someone else telling me that this is fine and that only the extension > >> can send a "verification-success" message to the download page. > > > > I'm up to taking a good look at it; I'll probably need to ask help from > more > > skilled people. > > > > But if I did this with the info I have currently, I would probably > > duplicate quite some work already done by Uzair and/or u. IMO it's the > > developers and/or reviewers' job to make such audits easy by > > documenting their reasoning, especially in highly sensitive code that > > uses features explicitly documented as dangerous. So: > > > > - Uzair: please document your reasoning to explain why you think the > >current code is safe; > > Uzair: Ping on this. Can you explain us (we're quite profane in browser > and JavaScript security) how the security of the messaging between the > extension and the page is handled? (And of other security-sensitive > aspect of your code that might be relevant if they are not commented > enough in the code). > > > - u: please tell me how deep you have already looked into the safety > >of this aspect of the code, and if you did, explain why you think > >the current code is safe; > > > > - sajolida: what timeline would be suitable for you to get an answer > >to your question? > > Firefox 57 has been released last Tuesday, and apart from this question > and a first general sanity check on security, we could do a first > release any time. > > But on the other hand people don't seem to complain so much about the > lack of support for Firefox 57 until now :) > ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Review of verification-extension
>- contentscript/verify.js:
> - fetchConf(): please wrap regexps.
Done.
>- contentscript/conf.js:
> - change the descriptor file to
>https://tails.boum.org/install/v1/Tails/amd64/stable/latest.yml
Done
> - are we sure that no other URL could be injected here: ajaxData.url=
> this.conf.descriptor; ?
Yeah, the url is hard coded in config, it can't be changed.
>- What kind of comments does this remove:
>44 data = data.replace(/^[^'"]*#.*/gm, ''); // remove most comments
>I don't see any in
>https://tails.boum.org/install/v1/Tails/amd64/stable/latest.yml
We copied it from old extension:
https://git-tails.immerda.ch/ma1/download-and-verify-extension/tree/tails-download-and-verify/lib/df.js
> - Can we not verify automatically once the download is finished?
As far as I know, chrome does not allow you to read local files. Someone
has mentioned this workaround
https://stackoverflow.com/questions/41767585/chrome-extension-to-access-content-of-downloaded-files
but I'm not sure if it'll work, we'll have to try.
>- origin of files:
> vendor/forge.js: please add a URL of origin for this script as well as a
version number so that we can update it in the future.
Done.
> - Please use double quotes instead of single quotes.
Done.
> - convert tabs to spaces
Done.
> - fart operator =>
>- example: this.fetchConf().done()=>{
> JSLint requires the parens around the parameters, and forbids a { left
brace after the => fart to avoid syntactic ambiguity. See:
http://www.jslint.com/help.html#function
Skipping the left brace is only allowed for one line functions.
> - Consider using strict-mode:
>https://developer.mozilla.org/en-US/docs/Web/JavaScript/
Reference/Strict_mode
> We want this code to be forwards compatible as much as possible as well
as as secure as possible.
Done.
> - Whishlist: please document how to test the extension locally in a
>README file.
> - Exclude this README file from the resulting XPI.
> - See as example the HACKING file in tails
>ta...@git.tails.boum.org:download-and-verify-extension
Added a README file
On Mon, Nov 13, 2017 at 11:18 PM, u wrote:
> Dear Uzair,
>
> so here is a more complete review of the extension.
>
> As said, I think there are two urgent matters:
>
> - manifest.json:
> - "permissions": [
> "http://*/*";,
> -> please deactivate HTTP. We only want to download over HTTPS.
>
> - contentscript/verify.js:
> - fetchConf(): please wrap regexps.
>
> And here are some other points I realized. If you think that any of
> these points are not applicable, please don't hesitate to comment. I'm
> not an expert in webextensions.
>
> - contentscript/conf.js:
> - change the descriptor file to
> https://tails.boum.org/install/v1/Tails/amd64/stable/latest.yml (I think
> sajolida created a ticket on our bugtracker already. It's not urgent,
> because the other files currently contains the same contents.)
>
> - contentscript/verify.js:
> - are we sure that no other URL could be injected here: ajaxData.url=
> this.conf.descriptor; ?
> - if not let's try to at least verify that the URL starts with
> https:// and comes from tails.boum.org
> - What kind of comments does this remove:
> 44 data = data.replace(/^[^'"]*#.*/gm, ''); // remove most comments
> I don't see any in
> https://tails.boum.org/install/v1/Tails/amd64/stable/latest.yml
>
> - setVerifyListener(){
> let self = this;
> this.$(this.document).on("change", this.conf.verifySelector, (e)
> => {
> self.calculateHash(e.target);
> });
> }
> -> So here we assume that the person clicks nicely on our button to
> verify and that nobody will interfere.
>- Can we not verify automatically once the download is finished?
>- Also, can we have a listener for the hash in the URL?
> For example, if I closed the window but now I want to come back
> and just do the verification without downloading again?
>
> - manifest.json:
> - "description": "Verify downloaded file", -> please make it clear
> that this verifies a Tails ISO image using a SHA256 checksum. (I think
> sajolida will handle this.)
>
> - origin of files:
> vendor/forge.js: please add a URL of origin for this script as well as
> a version number so that we can update it in the future.
>
> - JSLint http://www.jslint.com/ - this is a tool to write JS code which
> is not error prone and I think it would be nice to follow the
> requirements of JSLint.
> - Please use double quotes instead of single quotes.
> - convert tabs to spaces
> - fart operator =>
> - example: this.fetchConf().done()=>{
>JSLint requires the parens around the parameters, and forbids a {
> left brace after the => fart to avoid syntactic ambiguity. See:
> http://www.jslint.com/help.html#function
> - replace for loops with foreach (low prio)
>
> - Consider using strict-mode:
> https://developer.mozilla.org/en-US/docs/Web/JavaScript/
> Reference/Strict_mode
> We w
Re: [Tails-dev] Verification extension [was: HTML prototype for new download page]
I've merged your changes. > While doing this I came to wonder whether the version check was not broken again: the page asks for 1.0 minimum while it's 0.92 that is on AMO and the extension set 'data-extension="up-to-date"' on the page. Not sure if I understand correctly. I set the extension-version to 1.0 on web page and the installed extension version was 0.92. Extension correctly sets the variable 'document.documentElement.dataset.extension' to 'outdated' in this case. > So could you replace that duplicated code with a message like you tried to do originally in 412cb50? I've moved the logic to website. The extension now sends message and website then shows 'Verification' view. On Thu, Nov 16, 2017 at 5:46 PM, sajolida wrote: > Uzair Farooq: > > The repo url you mentioned says 'No repo found': > > https://git-tails.immerda.ch/verification-extension > > As noted in the email where I asked you this originally and which I > linked to from my second request on the topic: > > « Note that this URL doesn't work in a browser but does work through > Git. » > > Please try: > > $ git remote add upstream \ > https://git-tails.immerda.ch/verification-extension > $ git fetch upstream > > >> I also see that you initially tried to implement this with a message > >> in 412cb50 and I would much prefer this approach. What made you change > >> your mind between 412cb50 and 80773cb? > > > > Yeah, I originally planned to do it in web app but then noticed this > > comment in web app 'This should be done by the extension instead' and > > thought you want this in the extension. > > I removed this comment on the website a while ago (249e6f2153 from > November 7) after you first implemented the "up-to-date" vs "outdated" > logic. It was related to displaying whether the extension as already > installed (up-to-date or outdated). > > The issue I'm talking about here is that, once the extension is > installed, the next step is not displayed automatically. > > So could you replace that duplicated code with a message like you tried > to do originally in 412cb50? What made you change you mind right after > that commit? > > Also, you're not answering to my concerns about the "up-to-date" vs > "outdated" logic being broken again. See: > > https://mailman.boum.org/pipermail/tails-dev/2017-November/011867.html > > And just to be extra explicit: since Tuesday, people who are running > Firefox 57, can't download Tails anymore because we're not finished with > this work. > > I completely acknowledge that we have been slow and overwhelmed on our > side (on the technical mentoring of your work, on our own work on the > rest of the website, etc.) but if we have had a good enough version of > the extension on Tuesday, we would have made a first release of the new > download page on our website. But I think that the two issues mentioned > here are still blockers: 1. the page not updating once the extension is > installed, 2. the "up-to-date" vs "outdated" logic which seems broken > again. > > So I'd like you to move a bit faster now, please. > ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Verification extension [was: HTML prototype for new download page]
The repo url you mentioned says 'No repo found': https://git-tails.immerda.ch/verification-extension > I also see that you initially tried to implement this with a message in > 412cb50 and I would much prefer this approach. What made you change your mind between 412cb50 and 80773cb? Yeah, I originally planned to do it in web app but then noticed this comment in web app 'This should be done by the extension instead' and thought you want this in the extension. On Tue, Nov 14, 2017 at 9:21 PM, sajolida wrote: > sajolida: > > Uzair Farooq: > >>> When the extension gets installed, the page is not updated to > show "Verify download...". See this screencast: > >>> > >>> https://dl.poivron.org/maad2a3jiuqdu3k3wjbf-dirqyvooctlkem57 > >>> <https://dl.poivron.org/maad2a3jiuqdu3k3wjbf-dirqyvooctlkem57> > >>> > >>> Uzair: Could you help me fix that? Is it something that should be fixed > >> in the extension or on the page? > >> > >> Fixed, extension will change the view to "Verify download..." > > > > I tried to test this change but now your branch conflicts when I try to > > merge it in mine. It seems like you didn't merge the work I did on > > https://git-tails.immerda.ch/verification-extension as I instructed in > > https://mailman.boum.org/pipermail/tails-dev/2017-November/011853.html. > > > > Can you do that and ask for guidance if needed? > > I wanted to publish a new version of AMO so I did that merge and > published 0.92: > > https://addons.mozilla.org/en-US/firefox/addon/tails-verification/ > > While doing this I came to wonder whether the version check was not > broken again: the page asks for 1.0 minimum while it's 0.92 that is on > AMO and the extension set 'data-extension="up-to-date"' on the page. > > Can you double-check what's going on? > > Also, probably since 80773cb, my console complains about > > "SyntaxError: redeclaration of let VerifyDownload" > > But I'm not sure that's important... > > > On top of this, I'm worried to see that you copied some of the code and > > display logic that we have on the page into the extension (80773cb). > > Until now, this was quite decoupled and the display logic was happening > > only on the page (in dave_2.js). > > > > I also see that you initially tried to implement this with a message in > > 412cb50 and I would much prefer this approach. What made you change your > > mind between 412cb50 and 80773cb > ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Verification extension [was: HTML prototype for new download page]
>When the extension gets installed, the page is not updated to show "Verify download...". See this screencast: > https://dl.poivron.org/maad2a3jiuqdu3k3wjbf-dirqyvooctlkem57 > Uzair: Could you help me fix that? Is it something that should be fixed in the extension or on the page? Fixed, extension will change the view to "Verify download..." > - contentscript/verify.js: > - fetchConf(): please wrap the regexps. Not sure what you mean by this. Do you want me to convert them to 'new Regex()' format? > - manifest.json: > - "permissions": [ > "http://*/*";, > -> please deactivate HTTP. We only want to download over HTTPS. Fixed this. Also, I removed 'http://*/*' permission and added only tails.boum.org permission as we don't require permission for all sites. On Mon, Nov 13, 2017 at 9:44 PM, u wrote: > Hello! > > congrats on your work on the extension! > > I reviewed the code a little bit and I have some requests which should > be fixed beofore the release please: > > - contentscript/verify.js: > - fetchConf(): please wrap the regexps. > > - manifest.json: > - "permissions": [ > "http://*/*";, > -> please deactivate HTTP. We only want to download over HTTPS. > > I also have some more requests which are less urgent to fix. > Let's talk about these other issues in a separate thread / or tickets. I > will ask sajolida what the preferred way to report this is. > > Cheers! > u. > ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Verification extension [was: HTML prototype for new download page]
> But I don't see any new commit on your repo so maybe you forgot to push: We have pushed the missing changes. > Another bug I found today, when the verification fails for a second time, the 'verification-failed-again' message is not passed. We were working on this but can't seem to pass 'Install Verification Extension' button. Even though the extension is installed, it still says to install extension. On Sat, Nov 11, 2017 at 9:06 PM, Uzair Farooq wrote: > > But I don't see any new commit on your repo so maybe you forgot to > push: > > Yeah seems like that. We'll push the changes. > > > I tried that both in Tor Browser and Chromium and could make it work. > Here is the background.js script that I'm using: > > Instead of whole path can you just try 'download_2.html'? > > > Another bug I found today, when the verification fails for a second > time, the 'verification-failed-again' message is not passed. > > Yeah, we'll fix it on Monday. > > On Sat, Nov 11, 2017 at 4:40 PM, sajolida wrote: > >> Another bug I found today, when the verification fails for a second >> time, the 'verification-failed-again' message is not passed. >> >> It's not very surprising because there's no reference to this string in >> the code of the extension. >> >> Uzair: Do you think you can add that in the coming days? >> > > ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Verification extension [was: HTML prototype for new download page]
> But I don't see any new commit on your repo so maybe you forgot to push: Yeah seems like that. We'll push the changes. > I tried that both in Tor Browser and Chromium and could make it work. Here is the background.js script that I'm using: Instead of whole path can you just try 'download_2.html'? > Another bug I found today, when the verification fails for a second time, the 'verification-failed-again' message is not passed. Yeah, we'll fix it on Monday. On Sat, Nov 11, 2017 at 4:40 PM, sajolida wrote: > Another bug I found today, when the verification fails for a second > time, the 'verification-failed-again' message is not passed. > > It's not very surprising because there's no reference to this string in > the code of the extension. > > Uzair: Do you think you can add that in the coming days? > ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Verification extension [was: HTML prototype for new download page]
> It works when the version of the extension is up-to-date (1.0 or 1.1) but it doesn't work when the version is outdated (0.9). I can see that data-extension is still set to "ok". See screenshot. We have fixed an error with version checking so it should work now. Still if you want us to shift to simple floats comparison, we can do that. To test locally just need to change background.js, line 3 from: let matches = "://tails.boum.org/"; To: let matches = "file:///home/amnesia/Persistent/Tor%20Browser/ master/install/download_2.html"; On Wed, Nov 8, 2017 at 12:11 AM, sajolida wrote: > Uzair Farooq: > >> * Test that it works for you on https://tails.boum.org/ > install/download_2/ > > . > > > > This does not work for us either. Reason because no element with id > > 'download-and-verify' is present on the page. You will have to assign > this > > id to some element to make it work. > > I also realized that shortly after I gave up yesterday night :) > > So I pushed 7b5ec02933 on the production website and it's working now. > > >> * I see that you changed some condition in scripts/background > > /background.js, is it still supposed to work when I try from > > a local build of the website. On my Tails, I'm checking > > > > We have only whitelisted 'tails.boum.org' so it'll only work on this > site. > > If we add any other domains, it'll ask user for permission to those sites > > as well during installation. > > Ok, so let's not do that... > > But then it very painful to work on the code, test, and debug because > I'm pushing new versions on the production website every time. I know > how to edit HTML and CSS through the Firefox developer tools but I don't > know how to do something similar for the JavaScript on the page. > > How do you test your changes to dave_2.js locally? > > >> Uzair Farooq: > >>> 1. We are now logging percentage to console, you can replace it with a > >>> progress bar. Please have a look at the commit: https://github.com/ > >>> usman-subhani/Tails-repos/commit/bfb204b3c006189094c23626acab0d > >>> b1daf99109. The console.log(percentage) line is executed whenever > there's a change in > >>> percentage. > > I wired that into the HTML page and it's working. Cl! > > >>> 2. We now update the $FILENAME with actual filename. > > This works great! I updated a bit the HTML to avoid hard coding an > English string in the JavaScript code (9dd2fe1a31). > > >>> 3. We have ported the version update logic from original extension i.e. > >>> it will find element with id '#extension-version' on page and will > compare > >>> its text with installed version of extension and will set `document. > >>> documentElement.dataset.extension` accordingly (either 'ok' or 'old'). > > I wired this logic into the CSS (73cec4b28c). > > It works when the version of the extension is up-to-date (1.0 or 1.1) > but it doesn't work when the version is outdated (0.9). I can see that > data-extension is still set to "ok". See screenshot. > > Can you check what's wrong here? > > I see that you ported the code from Giorgio in your extension but that > it involves quite complex string parsing, so instead of struggling with > it, I think it would be fine if you prefer replacing it with comparing > two floating point numbers. We don't need a very evolved version scheme > for the extension. > > Also, I initially tried to the display logic in dave_2.js since it's > where we already have all the rest but I didn't know how to do that > (249e6f2153). Do you know if that would be possible? But it's working > now (at least for up-to-date version) so we shouldn't spend too much > time on that; it might just ease a bit maintenance in the future. > > >>> 4. We have removed the icon. Note that Chrome still shows a greyed out > >>> icon by default and user can hide the icon themselves if they want but > >>> extension cannot hide it. > > Good! > > >>> 5. Yeah, the extension is ready for chrome too. To install, follow the > >>> procedure here https://developer.chrome.com/ > >>> extensions/getstarted#unpacked > > Wow, it works!!! > > >>> 6. We have changed the logic to run the extension on all web pages of > >>> tails.boum.org which have an element with id 'download-and-verify' > >>> present in DOM > > Adjusted the download page accordingly and it works. > > We're almost there! Now I'll investigate how to upload to the Firefox > and Chrome stores would work and if I can do that myself. > ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Verification extension [was: HTML prototype for new download page]
The repositories urls: - https://github.com/usman-subhani/Tails-repos - https://github.com/usman-subhani/verification-extension/ On Sat, Nov 4, 2017 at 4:30 PM, Uzair Farooq wrote: > Hey. > > 1. We are now logging percentage to console, you can replace it with a > progress bar. Please have a look at the commit: https://github.com/usm > an-subhani/Tails-repos/commit/bfb204b3c006189094c23626acab0db1daf99109. > The console.log(percentage) line is executed whenever there's a change in > percentage. > > 2. We now update the $FILENAME with actual filename. > > 3. We have ported the version update logic from original extension i.e. it > will find element with id '#extension-version' on page and will compare > its text with installed version of extension and will set `document. > documentElement.dataset.extension` accordingly (either 'ok' or 'old'). > > 4. We have removed the icon. Note that Chrome still shows a greyed out > icon by default and user can hide the icon themselves if they want but > extension cannot hide it. > > 5. Yeah, the extension is ready for chrome too. To install, follow the > procedure here https://developer.chrome.com/extensions/getstarted#unpacked > > 6. We have changed the logic to run the extension on all web pages of > tails.boum.org which have an element with id 'download-and-verify' > present in DOM > > Let me know if I've missed something. > > Cheers! > > > > On Fri, Nov 3, 2017 at 5:53 PM, sajolida wrote: > >> sajolida: >> > Uzair Farooq: >> >> Uzair Farooq: >> >>> Hey, we checked the forge library (the one they listed as the fastest >> in >> >>> their benchmark). To my surprise it improved the time darastically. >> It took >> >>> a little more than 1 minute on a core i3 machine with 4GB RAM. >> > >> > Amazing! I tried on my laptop (Core i5 M520) and it took 45 seconds. >> > Not as good as the native call we had on the previous version of the >> > extension but clearly acceptable given the current limitations. >> > Congrats!!! >> > >> > So I did more tests and here are some comments and questions: >> > >> > - Would it be complicated to add a progress bar? ~1 minute is a decent >> > time to wait in this context, but I'm afraid that many people will >> > wonder what's going on if we give them no feedback on how long to >> > wait. The previous version integrated the download and was so fast >> > that feedback on the checksum calculation itself was not needed. But >> > here I would like to tell a bit more about what to expect. A progress >> > bar would solve this, but otherwise I can also put a spinner and give >> > a rough time estimate. >> > >> > - In my HTML mock-up I meant $FILENAME to be something that your >> > extension would replace with the filename of the ISO image. >> > See screenshot in attachment. Is this possible? >> > >> > - In Giorgio's version we had some JavaScript code to detect the browser >> > and display an appropriate version of the page. See [1]. I'll try to >> > integrate it in the new version but I might ask you for help if I get >> > stuck :) >> > >> > [1]: >> > https://git-tails.immerda.ch/tails/tree/wiki/src/install/inc/js/dave.js >> > >> > - We need a mechanism to notify when the extension needs update. See >> > "extension-version" in the HTML code of the current download page [2] >> > and in Giorgio's code. >> > >> > [2]: https://tails.boum.org/install/download/ >> > >> > I see no reference to "extension-version" in your code so I think that >> > this is not implemented yet. Can you have a look and provide us with a >> > way of testing that it's working fine once you have this feature back? >> > >> > - Your extension displays an icon in the URL bar. See attachment. Is it >> > a requirements with WebExtensions? Because as this icon otherwise >> > doesn't do anything when click, if it's possible to hide I would >> > prefer. >> > >> > - Is your code already working on Chrome? How can we test that? >> > >> > - In scripts/background/background.js it seems like you are activating >> > the extension on https://tails.boum.org/install/download_2/ but: >> > >> > - This URL is bound to change once we release the extension. >> > - The extension should be activated on sev
Re: [Tails-dev] Verification extension [was: HTML prototype for new download page]
Hey. 1. We are now logging percentage to console, you can replace it with a progress bar. Please have a look at the commit: https://github.com/ usman-subhani/Tails-repos/commit/bfb204b3c006189094c23626acab0db1daf99109. The console.log(percentage) line is executed whenever there's a change in percentage. 2. We now update the $FILENAME with actual filename. 3. We have ported the version update logic from original extension i.e. it will find element with id '#extension-version' on page and will compare its text with installed version of extension and will set `document. documentElement.dataset.extension` accordingly (either 'ok' or 'old'). 4. We have removed the icon. Note that Chrome still shows a greyed out icon by default and user can hide the icon themselves if they want but extension cannot hide it. 5. Yeah, the extension is ready for chrome too. To install, follow the procedure here https://developer.chrome.com/extensions/getstarted#unpacked 6. We have changed the logic to run the extension on all web pages of tails.boum.org which have an element with id 'download-and-verify' present in DOM Let me know if I've missed something. Cheers! On Fri, Nov 3, 2017 at 5:53 PM, sajolida wrote: > sajolida: > > Uzair Farooq: > >> Uzair Farooq: > >>> Hey, we checked the forge library (the one they listed as the fastest > in > >>> their benchmark). To my surprise it improved the time darastically. It > took > >>> a little more than 1 minute on a core i3 machine with 4GB RAM. > > > > Amazing! I tried on my laptop (Core i5 M520) and it took 45 seconds. > > Not as good as the native call we had on the previous version of the > > extension but clearly acceptable given the current limitations. > > Congrats!!! > > > > So I did more tests and here are some comments and questions: > > > > - Would it be complicated to add a progress bar? ~1 minute is a decent > > time to wait in this context, but I'm afraid that many people will > > wonder what's going on if we give them no feedback on how long to > > wait. The previous version integrated the download and was so fast > > that feedback on the checksum calculation itself was not needed. But > > here I would like to tell a bit more about what to expect. A progress > > bar would solve this, but otherwise I can also put a spinner and give > > a rough time estimate. > > > > - In my HTML mock-up I meant $FILENAME to be something that your > > extension would replace with the filename of the ISO image. > > See screenshot in attachment. Is this possible? > > > > - In Giorgio's version we had some JavaScript code to detect the browser > > and display an appropriate version of the page. See [1]. I'll try to > > integrate it in the new version but I might ask you for help if I get > > stuck :) > > > > [1]: > > https://git-tails.immerda.ch/tails/tree/wiki/src/install/inc/js/dave.js > > > > - We need a mechanism to notify when the extension needs update. See > > "extension-version" in the HTML code of the current download page [2] > > and in Giorgio's code. > > > > [2]: https://tails.boum.org/install/download/ > > > > I see no reference to "extension-version" in your code so I think that > > this is not implemented yet. Can you have a look and provide us with a > > way of testing that it's working fine once you have this feature back? > > > > - Your extension displays an icon in the URL bar. See attachment. Is it > > a requirements with WebExtensions? Because as this icon otherwise > > doesn't do anything when click, if it's possible to hide I would > > prefer. > > > > - Is your code already working on Chrome? How can we test that? > > > > - In scripts/background/background.js it seems like you are activating > > the extension on https://tails.boum.org/install/download_2/ but: > > > > - This URL is bound to change once we release the extension. > > - The extension should be activated on several pages, for example: > > > > - https://tails.boum.org/install/win/usb > > - https://tails.boum.org/install/debian/usb > > > > In Giorgio's code we were using a div id #download-and-verify > > instead, so that the extension could be activated on multiple pages. > > Could we go back to doing something like this instead? If that works > > for you, I'll add a div id in my HTML code. > > ^ Ping on all this. > > Today is Friday and we're now less than 2 weeks away from Firefox 57 so
Re: [Tails-dev] HTML prototype for new download page
We tried the stripped down version. We process data in chunks but stripped down version only provides the method which processes data all at once. Had to make some changes to make it work for our use case but it's giving us a different hash. Will debug it on Monday. On Fri, Oct 27, 2017 at 3:15 AM, anonym wrote: > Uzair Farooq: > > Hey, we checked the forge library (the one they listed as the fastest in > > their benchmark). To my surprise it improved the time darastically. It > took > > a little more than 1 minute on a core i3 machine with 4GB RAM. We have > > pushed latest changes to the repo > > https://github.com/usman-subhani/verification-extension > Hey, that sounds brilliant! > > FWIW, while I was researching possible solutions I stumbled upon: > > https://stackoverflow.com/questions/18338890/are-there- > any-sha-256-javascript-implementations-that-are-generally-considered-t > > which lead me to this 4.5 KB extract of only the parts of forge needed for > the SHA256 computation: > > https://github.com/brillout/forge-sha256 > > which seems like a worthwhile bloat reduction. > > Cheers! > > ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] HTML prototype for new download page
Hey, we checked the forge library (the one they listed as the fastest in their benchmark). To my surprise it improved the time darastically. It took a little more than 1 minute on a core i3 machine with 4GB RAM. We have pushed latest changes to the repo https://github.com/usman-subhani/verification-extension Regards, Uzair On Thu, 26 Oct 2017 at 6:36 PM, sajolida wrote: > sajolida: > > anonym: > >> Uzair Farooq: > >>> Hey, > >>> > >>>> How long does it take to get a successful result of the verification > >>>> extension on your machine? > >>> > >>> It took half an hour for us. We haven't processed such large SHA files > >>> previously so I wasn't aware that it could take this long. Again, the > >>> problem here is that the javascript implementation of the SHA algo is > not > >>> that efficient enough. We can try some other SHA libraries but I don't > >>> expect they will make a considerable difference. > > > > I tried again on my machine. After 60 minutes it wasn't done yet. > > Now with 90 minutes it's over. I have a ThinkPad X200 with a Core i5 > M520. > > > > So 30 minutes is if you are lucky and have a quite fast machine :) > > > >> So, can you please look at the top candidates among those > implementations and report back your measurements? > > > > On top of speed, could you also measure RAM consumption? > > And since we're getting quite close to the deadline (November 16), I'd > like you to also be more clear about when you think you'll be able to > send us more work to review (so we can schedule time to review it). > > For example, do you think you'll be able to benchmark and report on the > performance of these other JavaScript libraries before the end of the > week? If not, when? > -- Sent from iPod ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] HTML prototype for new download page
Hey, > How long does it take to get a successful result of the verification extension on your machine? It took half an hour for us. We haven't processed such large SHA files previously so I wasn't aware that it could take this long. Again, the problem here is that the javascript implementation of the SHA algo is not that efficient enough. We can try some other SHA libraries but I don't expect they will make a considerable difference. > Did you check the portability of the pinning mechanism when we first asked you about the feasibility of porting the extension to WebExtensions? No, tbh. I thought the core functionality of the extension is to only verify checksum. It was difficult and time consuming for us to understand all the code so we only focused on core functionality. But I pointed out my understanding of the extension during our conversation just to make sure I'm not missing anything: >Just want to make sure we are on the same page. The main functionality would be: > - User will download the image from website. > - After the download is complete, user will navigate to the verification page of extension (say by clicking on extension icon). >- User will select the downloaded file and extension will let user know if the image is valid or not. > So do you confirm that we won't be able to do certificate pining in the new extension? Yeah, unfortunately not possible with webextensions. On Thu, Oct 19, 2017 at 3:59 PM, sajolida wrote: > Uzair Farooq: > > Hey, > > Hey! > > >> But then the extension doesn't work: it takes a full core starts eating > > as much RAM as it can. See this screencast: > > > > The SHA 256 takes time and CPU to compute for such large files. In the > > previous add-on we were using a native method (which is not supported in > > web extensions) which was probably fast because it was a native methods > are > > native are not bound to Javascript while the SHA libs must javascript to > > compute hash. > > > > What we can do as a workaround is that we compute hash in a webworker. A > > web worker won't hang the page/browser but it'll still take CPU and RAM. > > Regarding the RAM, today I see that the amount of RAM is topped at > ~200MiB (fluctuating between 150MB and 200MB). Which is a whole lot but > at least not continuously increasing until it crashes, which is what I > thought at first. > > Regarding the execution time, I tried again on my machine: it's been > running for 15 minutes and still eating a whole core. > > How long does it take to get a successful result of the verification > extension on your machine? > > Because maybe I'm facing a bug and not a normal run of the extension... > > With the current extension, the checksum is calculated within seconds > (I didn't ever counted how many because it went so fast). On the > command line computing the checksum takes 11 seconds. > > >> That you are embedding a crypto library to compute the SHA256 > > (scripts/vendor/sha256.js) while the previous code didn't do that. > > In tails-download-and-verify/lib/hash.js he seems to use a build-in > > function from Firefox with: > > > > This is not possible in web extensions, that api only works Add-on SD. > > Ok. > > >> That you don't pin on the SSL certificate of our certificate authority > > (Let's Encrypt). > > > > This library is also addon SDK specific and is not supported in Web > > Extensions. > > Did you check the portability of the pinning mechanism when we first > asked you about the feasibility of porting the extension to WebExtensions? > > To be honest, I quite worried to learn only now that the two crypto > operations that are in the design of the extension (checksum and > certificate pining) are not available in Web Extension while I pointed > you to the code and the design back in May... while the deadline for the > new extension is November 16. > > > There's this certificate pinning feature in HTML5 > > https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning in > > which pinned certificates are returned in header of request when user > > visits the site first time. > > We already have HSTS activated on our website and have plans to work on > having HPKP: https://labs.riseup.net/code/issues/9026 but as you can see > in #note-7 it's quite complex as it requires careful backups and > recovery plans. Definitely not something we can have before November 16. > > So do you confirm that we won't be able to do certificate pining in the > new extension? > > > It'd have been easier for us to reuse Giorgio's code instead of rewriting > >
Re: [Tails-dev] HTML prototype for new download page
Hey, > But then the extension doesn't work: it takes a full core starts eating as much RAM as it can. See this screencast: The SHA 256 takes time and CPU to compute for such large files. In the previous add-on we were using a native method (which is not supported in web extensions) which was probably fast because it was a native methods are native are not bound to Javascript while the SHA libs must javascript to compute hash. What we can do as a workaround is that we compute hash in a webworker. A web worker won't hang the page/browser but it'll still take CPU and RAM. > That you are embedding a crypto library to compute the SHA256 (scripts/vendor/sha256.js) while the previous code didn't do that. In tails-download-and-verify/lib/hash.js he seems to use a build-in function from Firefox with: This is not possible in web extensions, that api only works Add-on SD. > That you don't pin on the SSL certificate of our certificate authority (Let's Encrypt). This library is also addon SDK specific and is not supported in Web Extensions. There's this certificate pinning feature in HTML5 https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning in which pinned certificates are returned in header of request when user visits the site first time. It'd have been easier for us to reuse Giorgio's code instead of rewriting from scratch but because of the fact that a lot of API's being used in Giorgio's code are add-on SDK specific and aren't supported in WebExtensions, it was better to rewrite. On Sun, Oct 15, 2017 at 10:07 PM, sajolida wrote: > Uzair Farooq: > > We made the commit on top of existing repo, here > > https://github.com/usman-subhani/Tails-repos > > Yeah, I like that! > > I merged your changes in the production website so you can test it from: > > http://tails.boum.org/install/download_2 > > I also: > > - Hid the "Update extension" that was displayed by default. > - Hid the that you added for the file chooser. > > So far so good! > > > Here's how to install Firefox extension > > https://developer.mozilla.org/en-US/Add-ons/WebExtensions/ > Temporary_Installation_in_Firefox > > . There's a video tutorial at the end. > > I tried this as well and installing the extension like this works, yeah! > > But then the extension doesn't work: it takes a full core starts eating > as much RAM as it can. See this screencast: > > https://dl.poivron.org/n7exagegay7wmynbugh4-ekzsjrqmajdq5lyn > > Also, I see in the report for the extension itself that you decided to > start a code base from scratch. Our initial idea was to instead base > your work on the current code base from Giorgio Maone, but I also > understand that given the fact that the scope of the extension has been > drastically reduced after we removed the download from it and that the > download page has been completely rewritten, it might make more sense > for you to start from scratch. So that's not a problem as such. > > Still, as initial comments (because I can't really understand your code > beyond that), I see: > > - That you are embedding a crypto library to compute the SHA256 > (scripts/vendor/sha256.js) while the previous code didn't do that. > In tails-download-and-verify/lib/hash.js he seems to use a build-in > function from Firefox with: > > let hasher = Cc["@mozilla.org/security/hash;1"] > .createInstance(Ci.nsICryptoHash); > hasher.init(hasher.SHA256); > > https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/ > Reference/Interface/nsICryptoHash > > If this is still possible with WebExtensions, why not do that? > > Because auditing and maintaining crypto primitives is not really > something we want to go into... > > - That you don't pin on the SSL certificate of our certificate authority > (Let's Encrypt). > > See: > > - https://tails.boum.org/blueprint/bootstrapping/extension/#index5h2 > - tails-download-and-verify/lib/cert-pinner.js in the current code > > I'm sorry if I didn't point you to this document before but I didn't > expect that you would rewrite the internals of the verification > mechanism and would rather reuse Giorgio's code. > ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] HTML prototype for new download page
Hey, We made the commit on top of existing repo, here https://github.com/usman-subhani/Tails-repos Here's how to install Firefox extension https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Temporary_Installation_in_Firefox . There's a video tutorial at the end. On Thu, Oct 12, 2017 at 5:11 PM, anonym wrote: > sajolida: > > Uzair Farooq: > >> I've pushed two repositories: > >> > >> Extension: https://github.com/usman-subhani/verification-extension > > > > anonym: Can you check this one? > > Sure! > > The lack of atomic Git history makes it hard to wrap my head around it, > but luckily it's short so I'm not really worried about this. However, from > now on I'd really prefer atomic commits with meaningful commit messages. > Any way, since my JavaScript is really poor I'd really like to be able to > run this code and play around with it a bit to get a better understanding > of how things are related. > > Uzair and Usman, how exactly can I test this (and my own modifications to > it) in Firefox? I suppose I need a development build of Firefox to work > around extension signing, right? But then what? Do I need to package the > extension somehow? Assume I known nothing about Firefox extensions, because > that is almost the case. ;) > > Cheers! > ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] HTML prototype for new download page
I've pushed two repositories: Extension: https://github.com/usman-subhani/verification-extension Web: https://github.com/usman-subhani/Tails-Web-App Please have a look and let me know if there are any issues. On Wed, Oct 4, 2017 at 9:11 PM, sajolida wrote: > intrigeri: > > Uzair Farooq: > >> I've made changes to the site, do I push directly to the repository? I > >> don't seem to have access to push to the repo. > > > > You'll need your own repository, so either fork us on GitLab > > (https://gitlab.com/Tails/tails) or request a repo on our > > infrastructure > > (https://tails.boum.org/contribute/git/#creating-a-new-repository). > > Yeap, then I'll have a look and merge! > ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] HTML prototype for new download page
I've made changes to the site, do I push directly to the repository? I don't seem to have access to push to the repo. On Thu, Sep 28, 2017 at 8:55 PM, sajolida wrote: > Uzair Farooq: > > Hey sajolida, > > > > Can you let me know how to run the DAVE site locally? I'm implementing > > message passing in site and need to test it. > > Actually, I should have pointed your to the documentation we have about > that straight from the beginning: > > https://tails.boum.org/contribute/build/website/ > > In short, the code for the website is included in our main Git repo so > you need to clone that repo first. Then install ikiwiki [1] and build > the website locally. > > [1]: https://ikiwiki.info/ > > Once you get that working here is a small tip to make your work on this > particular page either. > > Instead of relying on the ikiwiki.setup configuration included in the > Git repo, you could create a copy of it (mine is called > ikiwiki-local.setup) and change the "hardlink" option in there to "1". > > To refresh the build I do: > > ikiwiki -setup ikiwiki-local.setup -refresh > > Instead of ./build-website in the doc. > > This will make hardlinks between the .css and .js files from your repo > and in the build, so you don't have to refresh the build of the website > every time you change these files. You would still have the refresh the > build if you change the .html file. > > The HTML code for the important code of the download page is > wiki/src/install/inc/steps/download_2.inline.html (which is inlined from > wiki/src/install/download_2.html). > > Good luck! > ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] HTML prototype for new download page
Hey sajolida, Can you let me know how to run the DAVE site locally? I'm implementing message passing in site and need to test it. On Wed, Sep 27, 2017 at 3:21 PM, Uzair Farooq wrote: > Yeah, will name it TAILS_VERIFICATION_EXTENSION_VERSION > > On Wed, Sep 27, 2017 at 2:46 PM, sajolida wrote: > >> Uzair Farooq: >> >> I have a function called showVerifyingDownload to toggle from the >> click on >> >> the "Verify..." button to the display of "Verifying download..." while >> the >> >> verification happens. >> >> Maybe you were referring to something like this? >> > >> > Sorry for the typo, yeah that's what I meant. >> >> :) >> >> >> By the way I already have a function called >> showVerificationResult(result) >> >> to do that. >> > >> > Great. >> > >> >> So on top of EXTENSION_INSTALLED I would need something like >> EXTENSION_VERSION, >> >> or combine both information in the same variable. >> > >> > I will set a single variable named DAVE_VERIFICATION_EXTENSION_VERSION. >> > It's value would be a string containing the current extension version. >> >> Can you call it "TAILS_VERIFICATION_EXTENSION_VERSION" or >> "VERIFICATION_EXTENSION_VERSION" instead? >> >> > I've started working on the extension. Will integrate it with the site. >> I >> > will let you know if anything is needed from your end. >> >> Cool! >> > > ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] HTML prototype for new download page
Yeah, will name it TAILS_VERIFICATION_EXTENSION_VERSION On Wed, Sep 27, 2017 at 2:46 PM, sajolida wrote: > Uzair Farooq: > >> I have a function called showVerifyingDownload to toggle from the click > on > >> the "Verify..." button to the display of "Verifying download..." while > the > >> verification happens. > >> Maybe you were referring to something like this? > > > > Sorry for the typo, yeah that's what I meant. > > :) > > >> By the way I already have a function called > showVerificationResult(result) > >> to do that. > > > > Great. > > > >> So on top of EXTENSION_INSTALLED I would need something like > EXTENSION_VERSION, > >> or combine both information in the same variable. > > > > I will set a single variable named DAVE_VERIFICATION_EXTENSION_VERSION. > > It's value would be a string containing the current extension version. > > Can you call it "TAILS_VERIFICATION_EXTENSION_VERSION" or > "VERIFICATION_EXTENSION_VERSION" instead? > > > I've started working on the extension. Will integrate it with the site. I > > will let you know if anything is needed from your end. > > Cool! > ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] HTML prototype for new download page
>I have a function called showVerifyingDownload to toggle from the click on the "Verify..." button to the display of "Verifying download..." while the verification happens. >Maybe you were referring to something like this? So on top of EXTENSION_INSTALLED I would need something like EXTENSION_VERSION, or combine both information in the same variable. Sorry for the typo, yeah that's what I meant. > By the way I already have a function called showVerificationResult(result) to do that. Great. > So on top of EXTENSION_INSTALLED I would need something like > EXTENSION_VERSION, or combine both information in the same variable. I will set a single variable named DAVE_VERIFICATION_EXTENSION_VERSION. It's value would be a string containing the current extension version. I've started working on the extension. Will integrate it with the site. I will let you know if anything is needed from your end. On Tue, Sep 26, 2017 at 10:41 PM, sajolida wrote: > Uzair Farooq: > >> For example, I supposed that it will be possible for your extension > >> to rely on some calls to some functions in the script dealing with > >> the logic between the moving parts (for example > >> 'showVerificationResult'). I thought that this would help us decouple > >> what's shipped in the extension from the content and interactions on the > >> page. > > > > Yeah, this seems good. Extensions can't call functions directly so will > > have to do message passing > > (https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage ). > > Cool! > > > I can build message passing layer so you can assume that extension can > > call the functions. > > I'll definitely need help on this, yes :) > > > Just let me know what functions extension will be > > calling. Here are the functions I think will be required: > > > > - verifyingFil() > > ^ What do you mean by this one? > > I have a function called showVerifyingDownload to toggle from the click > on the "Verify..." button to the display of "Verifying download..." > while the verification happens. > > Maybe you were referring to something like this? > > > - fileVerificationComplete() > > This would need a result parameter as well because we have three > different result: success, failure, and failure again. > > By the way I already have a function called > showVerificationResult(result) to do that. > > > You'll also need some kind of indication that extension is installed or > > not, right? We can set a global variable EXTENSION_INSTALLED and you can > > simply check if it's true. > > Yes! Here I need two things: > > - Be able to know if the extension is installed already. > - Be able to know if the extension is up-to-date. > > So on top of EXTENSION_INSTALLED I would need something like > EXTENSION_VERSION, or combine both information in the same variable. > > Also, intrigeri mentioned that this API should be versioned. I'll take > not of this and propose something later on. > ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] HTML prototype for new download page
> For example, I supposed that it will be possible for your extension to rely on some calls to some functions in the script dealing with the logic between the moving parts (for example 'showVerificationResult'). I thought that this would help us decouple what's shipped in the extension from the content and interactions on the page. Yeah, this seems good. Extensions can't call functions directly so will have to do message passing ( https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage ). I can build message passing layer so you can assume that extension can call the functions. Just let me know what functions extension will be calling. Here are the functions I think will be required: - verifyingFil() - fileVerificationComplete() You'll also need some kind of indication that extension is installed or not, right? We can set a global variable EXTENSION_INSTALLED and you can simply check if it's true. On Mon, Sep 25, 2017 at 1:58 AM, sajolida wrote: > Hi Uzair, > > This time I'm putting in copy tails-dev@boum.org which is our > development mailing, instead of tails-ux@, because we're entering the > realm of code and implementation. anonym is subscribed to this list so > there's no need to put him in explicit copy anymore. > > So I'm done with a first HTML prototype of the new download page. You > can see it here: > > https://tails.boum.org/install/download_2/ > > The code is in our main Git repository: > > https://git-tails.immerda.ch/tails/ > > And the most relevant files are: > > HTML: > > https://git-tails.immerda.ch/tails/tree/wiki/src/install/ > inc/steps/download_2.inline.html > > CSS: > > https://git-tails.immerda.ch/tails/tree/wiki/src/install/ > inc/stylesheets/dave_2.css > > JavaScript: > > https://git-tails.immerda.ch/tails/tree/wiki/src/install/inc/js/dave_2.js > > In the current version of the verification extension, the logic behind > the moving parts on the page is mostly taken care of by CSS selectors > (for example, #download[data-state="pause"]) and the extension itself. > But here I started writing some JavaScript to handle the interactions > that couldn't take place in the extension (because it might not be > installed already) and in the end I thought that maybe the whole logic > behind the moving parts could be handled this way (and this makes the > CSS *much* easier to understand). But I don't know if doing things this > way will work for you... > > I'm really not used to writing JavaScript like this or organizing code > between a page, a script, and an extension so I'd highly appreciate > comments and guidance on whether I went in the right directions or > should do things differently. > > For example, I supposed that it will be possible for your extension to > rely on some calls to some functions in the script dealing with the > logic between the moving parts (for example 'showVerificationResult'). > I thought that this would help us decouple what's shipped in the > extension from the content and interactions on the page. > > In my JS I also simulated the work of the extension. You'll see that > with the XXX comments in dave_2.js. > > Also, the prototype is far from being complete but I thought that it was > ready enough for you to start commenting on it and doing your coding > work. For example, I'm still missing: > > - To integrate the browser detection code (from dave.js). > - To make all the graphical elements look better. So far I focused on > the HTML structure and the interactions but not the look. > > If you want to build a local version of the website as part of your work > and need guidance on how to do that, I can help you out. > > Tell me if you need anything! > ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
