-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
updates related to #1509 #5330
base: master
Are you sure you want to change the base?
updates related to #1509 #5330
Conversation
These issues are encountered:
|
deleted my comment. what if we used the insecure messaging everywhere, does it easily reach where we need it? then we encrypt & sign, decrypt & verify. |
Somewhat easier, I think. flowcrypt-browser/extension/js/common/platform/store/acct-store.ts Lines 88 to 90 in 6d6a340
Also, how should we keep session passphrases? Keeping them in the content script would mean that opening several gmail tabs would require entering passphrases into each of them independently, right? |
I'm ok with that limitation. We could then reintroduce a background worker later, if it turns out a problem.
Could have been fixed on recent browser versions? That's probably from 6 years ago. We could just try it and see what happens. Alternatively, we could try |
You were previously talking about using a symmetric key. Can you elaborate on |
I don't have anything that specific in mind, but surely window.crypto has some way to encrypt things in a manner that can be verified to be authentic when decrypting. Roughly we could send something like Where the encryptedData also contains the destination. That way, receiving frames don't have to decrypt it to decide if they should drop the message or not, while at the same time they can still verify that the message and destination is authentic and matching once they do decrypt it. Then the content would just be an encrypted/serialised json of whatever today is in these messages. Just a rough idea. |
To disallow opening |
Sounds not so important, ok to not worry about that |
We also use |
this mainly involves |
This will not be easy, imo it warrants a separate PR. So I'd leave that as is for now, from background script. |
There is a problem using |
Maybe then it'll be better to implement migration to native It's possible to allow inline scripts using nonce or hashes - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script, but not sure if it's possible in our case. |
ajax
calls with fetch()
ajax
calls with fetch()
const encryptedMsg = await SymmetricMessageEncryption.encrypt(validMsg); | ||
BrowserMsg.sendToChildren(encryptedMsg); | ||
if (postToSelf) { | ||
window.postMessage(encryptedMsg, '*'); |
Check warning
Code scanning / CodeQL
Cross-window communication with unrestricted target origin Medium
Sensitive data
# Conflicts: # extension/js/background_page/bg-handlers.ts # extension/js/common/api/account-servers/external-service.ts # extension/js/common/api/authentication/google/google-oauth.ts # extension/js/common/api/email-provider/gmail/gmail.ts # extension/js/common/api/email-provider/gmail/google.ts # extension/js/common/api/shared/api.ts # extension/js/common/browser/browser-msg.ts # test/source/mock/attester/attester-endpoints.ts # test/source/mock/fes/customer-url-fes-endpoints.ts # test/source/mock/keys-openpgp-org/keys-openpgp-org-endpoints.ts # test/source/mock/lib/api.ts
# Conflicts: # extension/js/common/api/account-servers/external-service.ts # extension/js/common/browser/browser-msg.ts
# Conflicts: # extension/js/common/api/authentication/google/google-oauth.ts # extension/js/common/browser/browser-msg.ts # extension/js/common/platform/store/encryption-key-store.ts # extension/js/common/symmetric-message-encryption.ts
Trying to fix #5373 (to be merged after PR #5372)
Tests (delete all except exactly one):
To be filled by reviewers
I have reviewed that this PR... (tick whichever items you personally focused on during this review):