Opened 3 years ago

Last modified 6 months ago

#10941 new task

Secure messaging window

Reported by: sukhbir Owned by:
Priority: Medium Milestone:
Component: Applications/Tor Messenger Version:
Severity: Normal Keywords:
Cc: gk, mikeperry Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Investigate Instantbird's whitelisting of HTML content and the related security issues that may arise out of this.

Child Tickets

Change History (13)

comment:1 Changed 3 years ago by gk

  • Cc gk added

comment:2 Changed 2 years ago by sukhbir

  • Keywords TorMessengerPublic added
  • Parent ID set to #14161

comment:3 Changed 2 years ago by sukhbir

  • Owner set to sukhbir
  • Status changed from new to assigned

comment:4 Changed 2 years ago by arlolra

Messaging window is jailed to type=content and is additionally XSS filtered immediately prior to display.

We've further removed anchor tags from strict mode to resolve the ambiguity in #13618.

comment:5 Changed 23 months ago by arlolra

From gk's audit,

I looked at imContentSink.jsm/convbrowser.xml and studied the Instantbird audit done by Mozilla. Almost all issues mentioned in the audit got fixed; one is left which does not seem to bring a high-risk with it especially, as Tor Messenger is configured to use the least permissive rendering mode (which is further hardened)

ToDo:

comment:6 Changed 23 months ago by sukhbir

  • Parent ID #14161 deleted

comment:7 Changed 19 months ago by arlolra

  • Keywords SponsorO removed

comment:8 Changed 19 months ago by arlolra

  • Keywords TorMessengerPublic removed

comment:9 Changed 17 months ago by arlolra

  • Cc mikeperry added
  • Severity set to Normal

Mike seems to be saying some things here,
https://www.youtube.com/watch?v=DqBFez4v_2I&t=2114

comment:10 Changed 16 months ago by mikeperry

Oh, my comments there simply were that it would be strictly better if we knew the message content window had scripts disabled fully, rather than (or actually, in addition to) being XSS filtered.

I know there was some contention with the instantbird team over this, as they felt this would negatively impact UI, so my thought was that we could have a security slider here, too. So for example, look at all of the stuff that Coy.im disables: https://coy.im/about/. Rather than killing all of that up-front (which will negatively impact UX), it could be progressively disabled as security level is increased.

comment:11 Changed 16 months ago by arlolra

Thanks for clarifying (actually, I think you were being pretty clear to begin with, I'm just of the confused type).

A security slider seems apt. In #17480, Tails is asking for a less restrictive (linkified) content window. (Though maybe Tails, and the rest of the security conscious folks, have move on to CoyIM as it is ...)

comment:12 Changed 6 months ago by arlolra

  • Owner sukhbir deleted

comment:13 Changed 6 months ago by arlolra

  • Status changed from assigned to new
Note: See TracTickets for help on using tickets.