- Updated connection flow between users via QR codes
- Added manual switching option in QR code generator
- Increased number of QR codes for better readability
- Removed session creation and Lightning payment logic
- Refactored security system:
* no more restrictions
* all systems enabled on session creation
- Improved QR code exchange for mobile devices
Replace CDN React/ReactDOM/Babel with local libs; remove Babel and inline scripts
Build Tailwind locally, add safelist; switch to assets/tailwind.css
Self-host Font Awesome and Inter (CSS + woff2); remove external font CDNs
Implement strict CSP (no unsafe-inline/eval; scripts/styles/fonts from self)
Extract inline handlers; move PWA scripts to external files
Add local QR code generation (qrcode lib) and remove api.qrserver.com
Improve SessionTypeSelector visual selection (highlighted background and ring)
Keep PWA working with service worker and offline assets
Refs: CSP hardening, offline-first, no external dependencies
- Removed reliance on window.DEBUG_MODE and window.DISABLE_* flags.
- Configuration is now passed via constructor instead of global variables.
- Exposed API remains on `window.secureBitChat`, but without backup globals or hidden toggles.
- Consolidated multiple setInterval tasks into a single scheduler to reduce attack surface.
- Added strict limits for IV history and log storage to prevent memory exhaustion.
- Improved XSS hardening: no more global switches to disable security features.
- Removed unsafe exposure of internal objects:
• deleted all references to `window.fileTransferSystem`
• unified global API setup to a single immutable `safeGlobalAPI` via Object.freeze
• removed legacy branch with `delete window[name]`
- Logging improvements:
• eliminated all direct `console.*` calls (use `_secureLog` exclusively)
• fixed string templates with proper interpolation (``${var}``)
• prevented accidental fallback to raw console in production
- Cryptography enforcement:
• updated `_validateCryptographicSecurity()` to require ECDSA and PFS
• added emergency shutdown if critical crypto features are missing
• ensured consistent feature enabling for production
- Metadata of extracted keys is now marked encrypted: true
- Removed decryption bypass via _keyReferences, all keys are returned via decrypt
- Nested encryption uses random 96-bit IV instead of single byte increment
- Fixed _secureLogShim: correct argument destructuring (...args)
- Removed busy-wait in forceInitializeFileTransfer, replaced with async wait
- Replace unsafe console.error/warn calls with secure logging system
- Implement production-safe logging that masks sensitive data
- Add automatic sanitization for cryptographic keys and sensitive information
- Create secure logging infrastructure for EnhancedSecureWebRTCManager and EnhancedSecureCryptoUtils
- Prevent data leakage of internal logic and error details in production
- Add production/development mode detection for appropriate logging levels
- Implement server-side error logging for production environments
- Replace unsafe console.error/warn calls with secure logging system
- Implement production-safe logging that masks sensitive data
- Add automatic sanitization for cryptographic keys and sensitive information
- Create secure logging infrastructure for EnhancedSecureWebRTCManager and EnhancedSecureCryptoUtils
- Prevent data leakage of internal logic and error details in production
- Add production/development mode detection for appropriate logging levels
- Implement server-side error logging for production environments
BREAKING CHANGE: Enhanced key validation now performs complete ASN.1 parsing
Security improvements:
- Added complete ASN.1 DER parser for full structure validation
- Implemented OID validation for algorithms and curves (P-256/P-384 only)
- Added EC point format verification (uncompressed format 0x04)
- Validate SPKI structure elements count and types
- Check key size limits to prevent DoS attacks (50-2000 bytes)
- Verify unused bits in BIT STRING (must be 0)
- Added fallback support from P-384 to P-256
This fixes high-risk vulnerability where keys with valid headers but
modified data could be accepted. Now all structural elements are validated
according to PKCS standards.
Affected methods:
- validateKeyStructure() - complete rewrite with ASN.1 parsing
- All key import/export methods now use enhanced validation
Security Enhancements:
- Add salt entropy validation (minimum 16 unique bytes for 64-byte salts)
- Expand secure logging patterns to catch more sensitive data types
(fingerprint, mac, hash patterns)
- Implement random timing delays in verifyAuthProof() to mask execution timing
- Revert sanitizeMessage() to working regex-based approach
Validation Improvements:
- validateSalt() now checks both size and entropy quality
- secureLog.sanitizeContext() enhanced with additional sensitive patterns
- Added timing attack protection with 5-25ms random delays
- Improve installation status detection logic
- Add proper DOM cleanup when PWA is installed
- Enhance monitoring for installation state changes
- Fix shouldShowPrompt() logic to always check current status
- Add forceInstallationCheck() method for manual status updates
- Improve installation status detection logic
- Add proper DOM cleanup when PWA is installed
- Enhance monitoring for installation state changes
- Fix shouldShowPrompt() logic to always check current status
- Add forceInstallationCheck() method for manual status updates
- Eliminated unsafe global state (window.*)
- Added DoS protection with MessageSizeValidator
- Added race condition prevention with AtomicOperations
- Added rate limiting (10 files/minute)
- Added secure memory management with SecureMemoryManager
- Wrapped handleFileChunk in atomic operations
- Updated all methods with security enhancements
- New users now see install prompt automatically after 10 seconds
- Smart cancellation prevents duplicate prompts
- Added PWAUtils methods for delayed prompt management
- Enhanced user onboarding experience
- Respects installation status and user preferences
- Add production mode detection and secure logging system
- Replace console.log with _secureLog() that sanitizes sensitive data
- Hide encryption keys, message content, and security details from logs
- Implement log level control (production: warn+error only, dev: debug+)
- Add data sanitization for keys, tokens, buffers, and sensitive strings
- Prevent log spam with automatic rate limiting and cleanup
- Maintain useful debugging info while protecting user privacy
- Add automatic memory cleanup for log counters
Security Impact: HIGH - Prevents sensitive data exposure through browser console
Changes:
- Production: Only critical errors/warnings logged
- Development: Safe debugging info without sensitive content
- All message content, encryption keys, and tokens are now sanitized
- Automatic detection of production vs development environment
- Remove dangerous global window exposure of encryption keys and manager instance
- Replace window.webrtcManager/globalWebRTCManager with secure limited API
- Add window.secureBitChat with validated public methods only
- Implement automatic monitoring for unauthorized global exposure attempts
- Add security integrity checks and emergency shutdown capability
- Prevent access to sensitive data (encryption keys, session data, internal methods)
- Maintain full functionality while securing internal implementation
BREAKING CHANGE: window.webrtcManager is no longer available
MIGRATION: Use window.secureBitChat.sendMessage() instead of window.webrtcManager.sendMessage()
Security Impact: CRITICAL - Prevents XSS attacks from accessing encryption keys
Tested: All functionality preserved, file transfers working, connections stable
