Open fbender opened 8 months ago
While I totally agree with the benefits of an external security review and enhanced technical verifications for each update, I feel like this extension does not yet meet Mozilla's criterias for Recommended extensions.
I will thus focus my efforts on meeting the following requirements before nominating the extension:
I think one other aspect, also in light of a security audit, is to minimize the footprint of the code, both in terms of LoC and external dependencies. Two things that immediately came to my mind:
I'm sure you have further ideas to keep the footprint small. Would you agree to the idea that I open a ticket to track this work? I understand if this is out of scope and distracting, so I figured I ask first :)
I definitely agree on keeping the footprint small. You can indeed open an issue to track that.
SJCL was used for SRP because that's what Apple's extension uses too. It's required for AES encryption/decryption, SHA256 hashing, big numbers, bit array manipulation, binary/hex/base64/utf8 transcoding, and a bunch of known group constants. Those are all very standard, so that should be feasible with the browser's built-in libraries or a very lightweight library.
As for React, I'd be happy to consider your PR if you wish to open one. I'm familiar with most frameworks, so building on top of that wouldn't be an issue for me. lit and Svelte are both good options in my opinion.
Two more things that come to mind are webpack and webextension-polyfill:
background.scripts
to background.service_worker
in meta/manifest.json
). Two separate bundles could be generated instead. One for Firefox without the polyfill, and another for Chrome with the polyfill and edited manifest.
I understand this extension is in early stages, but I believe the security sensitivity aspect of it will sooner than later warrant an external security review. This, alongside the visible indicator (like a "certificate" for the review) for other Firefox users to see that they can trust this extension, can be provided through the "recommended extension" program on addons.mozilla.org (plus I'd say it's a pretty essential extension on macOS that Mozilla would be keen to promote).
Info on how to apply, relevant section: