Uzair Farooq: > Here are my findings: > > 1. Our extension script is only injected in https://tails.boum.org, so > unless there's an iframe on the download page there's no way for any > other hosts to receive message from our extension. Nevertheless, I've > changed the target from'*' to 'https://tails.boum.org' to be more safe. > > 2. On receiving end we have a check to verify that the source 'window' > object of the message is same as the 'window' object of the current page > which essentially means that the site will always reject messages from > any other page. Nevertheless, I've added an additional check to verify > that the source of the message is 'https://tails.boum.org' > > 3. We have checks in place to verify format/data of the messages passed. > > Other than that I don't think there's anything else to be worried > regarding security.
Thanks for the detailed explanation! I tested this new version and it works! I released it for Firefox but not for Chrome. I tried to modify the check on both sides of the message communication (postMessage on the extension and receiveMessage on the web page) and I get errors from Firefox on the console. For example, to be able to test the extension locally I know have to patch the code of both the extension and the website (73899ef). > One thing I want to mention here is that all these > checks are to prevent attempts from other sites/pages but if user has a > malicious extension installed, it can easily fake/intercept things Yeap. We already detected that in our initial threat modeling analysis. Search "(F)" in: https://tails.boum.org/blueprint/bootstrapping/extension/ _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
