undefined | Better HN

0 pointssachaa1mo ago0 comments

Thanks for the feedback. This is a proof of concept, not production-hardened software, and the README should be clearer about that.

To your questions:

- 1. The CryptoKey is extractable: false, so JS can't export the raw key material, it only exposes encrypt/decrypt operations. It won't stop a full XSS attack on the same origin, but it does prevent casual inspection of IndexedDB/DevTools. Defense in depth, not a silver bullet.

- 2 & 4. You're right, the fetch_url tool and javascript eval in the worker both have unrestricted network access. A confirmation step for outgoing requests is worth adding. Good callout.

- 3 Honest oversight, no reason the Telegram token shouldn't get the same treatment. Will fix.

Updating the security language in the README to be more accurate about the threat model. PRs welcome if anyone wants to tackle sandboxing the JS tool (iframe with a null origin is one approach).

0 comments

No comments yet.

0 pointssachaa1mo ago0 comments

Thanks for the feedback. This is a proof of concept, not production-hardened software, and the README should be clearer about that.

To your questions:

- 2 & 4. You're right, the fetch_url tool and javascript eval in the worker both have unrestricted network access. A confirmation step for outgoing requests is worth adding. Good callout.

- 3 Honest oversight, no reason the Telegram token shouldn't get the same treatment. Will fix.

Updating the security language in the README to be more accurate about the threat model. PRs welcome if anyone wants to tackle sandboxing the JS tool (iframe with a null origin is one approach).