Hi, jvoisin: >> General security implications >> ----------------------------- >> >> The question we are asking ourselves is: are there any predictable >> downsides to move the verification code from an extension to the website?
> I don't see any significant downsides. I could not find any either, as long as the threat called [H] in the design doc of the current system can be mitigated, either in the same way as what we currently do (see Cross-origin communication and Content Security Policy paragraphs) or in other ways. One rather minor implementation note, that's relevant in this context only because any software is only as secure as the _version run by actual users_: this migration increases the need to ensure web browsers use the correct version of the relevant web resources (such as JavaScript files), to replace the extension version check we currently have, which is done for every download. At the moment JS can be cached for 24h. We have a ticket about this already; I think it needs to be part of the migration plan. > I think that having the verification happening on the website will > vastly improve the user experience and is a great idea. +1 Cheers, -- intrigeri _______________________________________________ Tails-dev mailing list Tails-dev@boum.org https://www.autistici.org/mailman/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.