Hi! sajolida: > The work on Tails Verification (the replacement of DAVE) and the new > download page is almost done and it's work fine. Still, I got quite > scared reading about the security implications postMessage: > > https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
Thanks for raising this issue specifically! The doc says "Always specify an exact target origin, not *, when you use postMessage to send data to other windows. A malicious site can change the location of the window without your knowledge, and therefore it can intercept the data sent using postMessage." The code currently contains tons of "*" instead of a location. Then: "if you do expect to receive messages from other sites, always verify the sender's identity using the origin and possibly source properties." And: "Having verified identity, however, you still should always verify the syntax of the received message." And later the doc says about using postMessage in extensions: "The targetOrigin argument for a message sent to a window located at a chrome: URL is currently misinterpreted such that the only value which will result in a message being sent is "*". Since this value is unsafe when the target window can be navigated elsewhere by a malicious site, it is recommended that postMessage not be used to communicate with chrome: pages for now; use a different method (such as a query string when the window is opened) to communicate with chrome windows. " I'm not an expert in such extensions, but I have the slight feeling that there is some more work to be done here :) Cheers! u. _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
