Hi, sajolida: > The work on Tails Verification (the replacement of DAVE) and the new > download page is almost done and it's work fine. Still, I got quite > scared reading about the security implications postMessage:
> https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage Indeed. > Uzair wrote the code and u already reviewed it but I'd like to have > someone else telling me that this is fine and that only the extension > can send a "verification-success" message to the download page. I'm up to taking a good look at it; I'll probably need to ask help from more skilled people. But if I did this with the info I have currently, I would probably duplicate quite some work already done by Uzair and/or u. IMO it's the developers and/or reviewers' job to make such audits easy by documenting their reasoning, especially in highly sensitive code that uses features explicitly documented as dangerous. So: - Uzair: please document your reasoning to explain why you think the current code is safe; - u: please tell me how deep you have already looked into the safety of this aspect of the code, and if you did, explain why you think the current code is safe; - sajolida: what timeline would be suitable for you to get an answer to your question? Cheers, -- intrigeri _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
