The page lesspass.com is meant to be a single-page web app with the extremely important function of directly accepting people's master passwords.
This is going to sound stupid to some people, but I'll propose it.
In the interest making this page more secure, I recommend that all resources on this page be inlined. As in one HTML file including all style, images (SVG), and everything needed to display it. Possibly one exception is lesspass.js.
This makes it easier to confirm that there are no tricks, no phoning home, no other network requests.
Can be implemented here https://github.com/lesspass/lesspass/tree/master/packages/lesspass-site
fulldecent
All 3 comments
see #369 for background
edouard-lopez
on 20 Jan 2021
Yes this is a really good idea.
The only difficulty is in the tooling.
guillaumevincent
on 21 Jan 2021
@edouard-lopez it's not PWA, it's more inlining everything in one html file. If we can remove the minification at the same time, it's will be very easy for anybody to do an audit. Just download the HTML and check the hash. See between different versions, the changes.
guillaumevincent
on 21 Jan 2021
Related issues
delphine-graeff
·
3Comments
0x2b3bfa0
·
3Comments
oncletom
·
3Comments
polarathene
·
4Comments
panther2
·
3Comments
Most helpful comment
@edouard-lopez it's not PWA, it's more inlining everything in one html file. If we can remove the minification at the same time, it's will be very easy for anybody to do an audit. Just download the HTML and check the hash. See between different versions, the changes.