Re: [Tails-dev] Security of postMessage between Tails Verifi…

Delete this message

Reply to this message
Author: u
Date:  
To: tails-dev, Uzair Farooq
Subject: Re: [Tails-dev] Security of postMessage between Tails Verification and the download page
Hi!

sajolida:
> The work on Tails Verification (the replacement of DAVE) and the new
> download page is almost done and it's work fine. Still, I got quite
> scared reading about the security implications postMessage:
>
> https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage


Thanks for raising this issue specifically!

The doc says "Always specify an exact target origin, not *, when you use
postMessage to send data to other windows. A malicious site can change
the location of the window without your knowledge, and therefore it can
intercept the data sent using postMessage."

The code currently contains tons of "*" instead of a location.

Then:
"if you do expect to receive messages from other sites, always verify
the sender's identity using the origin and possibly source properties."

And:
"Having verified identity, however, you still should always verify the
syntax of the received message."

And later the doc says about using postMessage in extensions:

"The targetOrigin argument for a message sent to a window located at a
chrome: URL is currently misinterpreted such that the only value which
will result in a message being sent is "*". Since this value is unsafe
when the target window can be navigated elsewhere by a malicious site,
it is recommended that postMessage not be used to communicate with
chrome: pages for now; use a different method (such as a query string
when the window is opened) to communicate with chrome windows. "

I'm not an expert in such extensions, but I have the slight feeling that
there is some more work to be done here :)

Cheers!
u.