Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

README.md spelling and grammar #112

Merged
merged 1 commit into from
Feb 27, 2024
Merged

README.md spelling and grammar #112

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,17 @@
# Signify Browser Extension
This browser extension was initially developed as part of Provenant's [Bounty PB311.1](https://docs.google.com/document/d/1mq82RDRGfoOMCs8sR8Cuj_hMC5i1_aP7e6DVqp8o13g/edit?usp=sharing)

This browser extension, initialy implemented for Chromium browsers, uses [sifnify-ts](https://github.com/weboftrust/signify-ts) to connect to a [KERIA](https://github.com/weboftrust/keria) agent and retrieve user AIDs and their associated keys and credentials. Those AIDs and credentials are use to signin into enabled websites. Once a signin is asociated with a website, it's stored in chrome store for future use.
This browser extension, initially implemented for Chromium browsers, uses [signify-ts](https://github.com/weboftrust/signify-ts) to connect to a [KERIA](https://github.com/weboftrust/keria) agent and retrieve user AIDs and their associated keys and credentials. Those AIDs and credentials are used to sign in to enabled websites. Once a signin is associated with a website, it's stored in chrome store for future use.

The primary goal of this extension is to provide a secure way to signin into websites without disclosing private keys to untrusted websites. Websites developers should adopt [polaris-web]() library to send messages to the extension requesting signed headers that are needed to authenticate in a backend service. Additionally to the signed headers, the website may request to provide a credential (ACDC).
The primary goal of this extension is to provide a secure way to sign in to websites without disclosing private keys to untrusted websites. Websites developers should adopt [polaris-web]() library to send messages to the extension requesting signed headers that are needed to authenticate in a backend service. Additionally to the signed headers, the website may request to provide a credential (ACDC).

This browser extension adopts [Manifest V3](https://developer.chrome.com/docs/extensions/develop/migrate/what-is-mv3) to take advantage of the new security features and performance improvements.

## Architecture
The browser extension is composed of the following components:

### Background
The background script, knwon as service worker in Manifest v3, is responsible for handling messages received from the content script, popup, and external webpages that were alredy allowed to request signed headers from the extension. The background script is also responsible for handling the communication with the KERIA agent.
The background script, known as service worker in Manifest v3, is responsible for handling messages received from the content script, popup, and external webpages that were already allowed to request signed headers from the extension. The background script is also responsible for handling the communication with the KERIA agent.

### Popup
It's the user interface of the browser extension. It can be accessed by clicking on the extension action icon in the browser toolbar.
Expand All @@ -24,11 +24,11 @@ The dialog is a html that is injected by the content script in the active web pa

## Security considerations
The following rules are enforced by design to ensure the security of the extension:
* The extension only sends signed headers to the website if the user has previously create a signing asociation with that website.
* The extension only sends signed headers to the website if the user has previously created a signing association with that website.
* The extension only sends signed headers to the website if the website is the active tab on the browser.
* The passcode is temporarry stored in the extension and is zeroed out after a few minutes.
* The passcode is temporarily stored in the extension and is zeroed out after a few minutes.
* Messages from content script are allowed if the content script belongs to the active tab.
* Direct messages from the website to the background script are only allowed for the active tab and if a signing asociation exists with the auto-singin flag enabled.
* Request minumin permision in the Manifest.
* All sesitive data is only accessed by the background script and popup, and never reaches the content script.
* Direct messages from the website to the background script are only allowed for the active tab and if a signing association exists with the auto-signin flag enabled.
* Request minimum permission in the Manifest.
* All sensitive data is only accessed by the background script and popup, and never reaches the content script.
* Never run external scripts in the extension (`eval()`).