Best Security Practices

There are some guidelines your organization should follow to make your application more secure.

Running the Application from a Different Origin

HCL recommends hosting your web applications from a different origin than the Verse application. Web apps that run from the same origin as Verse have full access to the Verse application page content and therefore are, potentially, less secure. Any web applications that run from your Verse domain should be reviewed and fully trusted by your organization.

Cross-Scripting Attack

If your application is using cross-document messaging to communicate with Verse, it can be vulnerable to cross-site scripting attack unless certain security implementations are followed carefully. This section is specific to extensions that use widget actions and leverage the verseDataApi.

Verify the Origin and Target

When receiving messages, always verify origin of the message. Whenever using the verseDataApi you should add a check to ensure the message is coming from a verified origin. When a message event is received, immediately verify its origin before executing any other code:

window.addEventListener("message", function(event) {
/**
* You should add the following code to check the origin of the message and prevent
* the rest of the JavaScript code from executing if the message origin does not match
* your Verse domain or the expected origin
*/
if (event.origin !== "<your-Verse-domain-here>"){
return;
}

Likewise, when sending message, you should always specify the targetOrigin which provides control over where messages are sent. From the official Web API docs:

"Always provide a specific targetOrigin, not *, if you know where the other window's document should be located. Failing to provide a specific target discloses the data you send to any interested malicious site."

In the sample HTML page, when posting message from the sample page back to Verse, we specify the targetOrigin to be the origin of the previous event we received, event.origin.

tip

If you verified the origin of the message by implementing the suggestion in the previous tip, you can be sure that event.origin here would be your, verified, Verse domain.

event.source.postMessage(loaded_message, event.origin);

Validate the Message

Always validate the messages being passed; it is the responsibility of the extension developer to ensure data received is treated appropriately.

This includes trying to use innerText or textContent instead of innerHTML when inserting data value into the DOM which will prevent malicious code being inserted and executed.

For example, with the HTML sample page, if it used insertAdjacentHTML instead of innerText to display the stringified JSON data from the user’s side and a mail subject contained the following line (either in the Mail Compose View or Mail Read View) then when the extension is triggered, a button would be added onto the application’s HTML page, which when clicked, will show an alert:

</div><button onclick='alert()'>Click me!</button><div>

This is a proof of concept to show how a malicious user could take advantage of this vulnerability to execute their own script.

To learn more about cross-site scripting attack, please refer to the OWASP site. Google Chrome has also provided some guidance on how to make your web extension more secure; please refer to their documentation.

URL Scheme Whitelist

Verse defines a URL Scheme Whitelist to restrict what URL schemes can be used in an extension URL when opened from Verse.

Default URL scheme whitelist

The URL schemes http, https, notes, im, sip, tel and xmpp are allowed on Verse by default. If the extension is deployed via browser extension, then chrome-extension and moz-extension URL schemes are also allowed by default. However, if the extension is opened in a new window or new tab, then only http, https, chrome-extension and moz-extension URL schemes are allowed by default.

Custom URL Scheme Whitelist

You can set the VOP_Extensibility_Url_Scheme_Whitelist parameter in notes.ini, introduced in Verse on-Premises V1.0.4, to allow additional custom URL schemes. Schemes should be added as a comma-separated string as shown in the example below.

Example Custom URL Scheme Whitelist
In the below example, ftp and thunder schemes are added to custom URL scheme whitelist, thus, ftp and thunder schemes would be allowed in the extension URL.

VOP_Extensibility_Url_Scheme_Whitelist=ftp,thunder

External Security Resources

NameDescription
OWASPOpen Web Application Security Project provides free, online, articles and resources for web security
Chrome Extension SecurityGoogle Chrome's offical Web Extension security documentation
MDN Content Security PolicyMDN's official Content Security Policy documentation
URL SchemesAn extensive list of registered URL Schemes