Il 27/06/2012 22:28, Ian Goldberg ha scritto: > On Wed, Jun 27, 2012 at 12:54:06PM -0700, Chris Ballinger wrote:
>> >> Would it be possible/feasible to write browser extensions (Chrome, Safari, >> FF) that use Emscripten (LLVM to JS compiler) to compile libotr, and then >> hook into the DOM for Gmail or Facebook (or possibly any two user-defined >> text fields?) for "seamless" in-browser OTR? > > Lots of people have considered that, but there's a major obstacle: how > do you know the libotr plugin is actually being used, and it's not just > sending plaintext to GTalk? As far as I know, there's no "secure > chrome" mechanism extensions can use to confirm to the user that the > text is being typed directly to the extension, and that other javascript > running on the same page can't intercept the keystrokes. > > - Ian I start to write a firefox add-on of this kind some time ago [0] [1]. I used jsctypes to use the C libotr from firefox. I hook facebook DOM and insert an iframe inside (content, plaintext and keystrokes should be protected by js same origin policy). I also planned to insert even a custom image (always stored in the client pc) so that website (or someone tampering connection) can't "mimic" the add-on iframe. The major problem is that the DOMs of facebook and gmail are always changing and is very difficult to adapt the add-on every time (firegpg had the same problem).Even gmail js is very difficult to understand (at least for me). My add-on isn't complete but can be a start point for libotr jsctype mapping that is almost finished. Garulf [0] http://gitorious.org/fireotr [1] http://lists.cypherpunks.ca/pipermail/otr-dev/2011-June/001183.html _______________________________________________ OTR-dev mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
