#5667 Added message decryption on Thunderbird #5796
Conversation
…ssage-decryption-on-thunderbird
…ssage-decryption-on-thunderbird
…ssage-decryption-on-thunderbird
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 2422507 | Triggered | Generic Password | f901bc5 | extension/chrome/elements/compose.ts | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secret safely. Learn here the best practices.
- Revoke and rotate this secret.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
|
Update: Embedding
Another problem I have is that, opgp object from @sosnovsky, just sharing this with you. There's no need to check it for now, but I'll let you know when help is needed. |
|
@martgil thanks for update! In the case if it's not possible to directly decrypt message inside Thunderbird UI, we can add |
|
|
||
| public static thunderbirdContentScriptRegistration = async () => { | ||
| await messenger.messageDisplayScripts.register({ | ||
| js: [{ file: './js/content_scripts/thunderbird-content-script.js' }], |
There was a problem hiding this comment.
after build changes all extension versions (not only thunderbird), include additional thunderbird-content-script.js which is almost 5mb:
for browsers we use injectFcIntoWebmail method which adds all needed files to each gmail tab.
do you think it'll be possible to adapt this method for thunderbird?
There was a problem hiding this comment.
after build changes all extension versions (not only thunderbird), include additional thunderbird-content-script.js which is almost 5mb:
Ah, yes - sorry about that. I'll find a way a viable alternative solution to it from which thunderbird-content-script.js should only be created for the Thunderbird build.
There was a problem hiding this comment.
let's start with trying to adapt injectFcIntoWebmail method to inject all needed scripts into thunderbird, so it'll work the same in browsers and thunderbird.
and if it doesn't work - then use thunderbird-content-script.js
There was a problem hiding this comment.
Hi @sosnovsky - I tried to adapt using injectFcIntoWebmail and there are incompatibility that prevents me from somehow make it work as close as how it works on browser. For example, in Thunderbird, registration for content script is done within messageDisplayScript.register, from which it only accept one of the two parameter (file or code). And then several files doesnt seem to work when defined in .register() - https://webextension-api.thunderbird.net/en/91/messageDisplayScripts.html.
However, I have done my best to achieve the best result while still complying with the requirements, which I believe I have accomplished in this PR. Please review and test it out. From my perspective, the results are extremely positive, and I'm excited to hear your feedback. :)
Thanks for your help.
|
Decryption works great, very smoothly, looks like native Thunderbird functionality 👏 By the way, is it possible to remove this warning about secret key when message was successfully decrypted by FlowCrypt? |
This will be a better solution, as storing unlocked private key will make it more vulnerable for possible attacks. Let's go with this one |
@sosnovsky Unfortunately, I've spend times working on that and that part of the Thunderbird isn't really changable. I mean, it is changable in a way user would be importing custom css file in their machine to get rid of it. Some says, that, it can be removable through custom CSS, like editing and overriding the
Thanks for confirming that. I'll take a look and let you know. |
|
Hello @sosnovsky - this one is ready for review. Thank you! |
|
Hi @martgil, sorry for the long review - I was just checking how script injection works in Thunderbird, added some additional logging and noticed that After some investigation I've found that our script didn't get correct list of tabs in Thunderbird, because we expect tab URL to start with I'll try to make injection work for Thunderbird, to make it's logic similar to browser extension, so it'll work the same for different platforms. Or maybe you've already tried to change expected tab URLs for Thunderbird and it didn't work? |
|
Hello @sosnovsky - Thank you for thoroughly reviewing this.
Ah yes, I didn’t change this within injectContentScripts because, as far as I know, content scripts are slightly different in Thunderbird compared to what I understand from its development. In Thunderbird, we use messageDisplayScript and register it. I’m not entirely sure how exactly content script injection works in Thunderbird, especially since it appears to be applied per tab. I reviewed this during the last review and found that it might not be usable for Thunderbird, given the restrictions I understand. However, I might have been confused and not fully understood the entire concept of content script injection, including which specific scripts need to be injected.
Yes, to be exact, it is in the imap:// protocol of some sort, if I’m not mistaken from my last check. Origin can be checked via Thunderbird's dev tools if I understood it correctly.
I understand, Roma. I apologize if I haven’t been reliable on this matter. But I'm here to help if you need me check some other things.
I actually do use CSP, but the imap:// protocol doesn’t seem to work with it. For example, |
You've done a great job, initially I didn't expect that it'll be possible to show decrypted messages directly in the Thunderbird message UI, but you did and it works well. Current solution is good, I just want to check Thunderbird injection logic to find possibility make it work like on browsers, so we won't need to support 2 different injection approaches in the future. |
|
Hi @martgil, it seems I updated public static thunderbirdContentScriptRegistration = async () => {
const contentScriptGroups = chrome.runtime.getManifest().content_scripts ?? []; // we know it's in the manifest
const files = contentScriptGroups[0].js?.map(url => url.replace(/moz-extension:\/\/[^/]+\//, './')) ?? [];
await messenger.messageDisplayScripts.register({
js: files.map(file => ({ file })),
css: [{ file: './css/cryptup.css' }],
});
};But looks like |
Hi @sosnovsky - thank you for the information you've shared with me and for your help. In that case, I think we can just leave sweetalert2.js if that's the only js library that prevents it from working since we can use iframe within the Thunderbird UI and so we won't be able to display some sweetalert pop ups there. What do you think? |
|
I'll try to find possible fix for using |
I understand - thanks! I'll help you with this after I've finished all the GH issue assigned to me in the enterprise-server repo. |
Thanks, will keep you updated! |
|
finished in #5824 |
|
superseded by #5824 |
sosnovsky
deleted the
issue-5667-added-message-decryption-on-thunderbird
branch
3 participants
This PR added message decryption and its necessary UI improvements on Thunderbird email client.
close #5667
Tests (delete all except exactly one):
To be filled by reviewers
I have reviewed that this PR... (tick whichever items you personally focused on during this review):