On Tue, Jun 16, 2015 at 9:13 PM, Andrew Sutherland <[email protected]> wrote: > On Tue, Jun 16, 2015, at 02:45 PM, Paul Rouget wrote: >> You mentioned XSS. If I understand what you're saying, introducing >> `executeScript` allows anything that has access to the Browser API to >> inject code to any web pages. That's exactly what it is designed for. >> The Browser API already allows plenty of things. And when you have >> access to the Browser API, you most certainly have access to other >> critical APIs (bluetooth, file system, …). > > The other critical APIs are explicitly requested separately. It seems > like it's worth making this one a separate privilege too. Or we run > into the Android problem of "I need this permission for this reasonable > thing, but it also grants me access to do all these sketchy things, so > what are you gonna do?" > > Currently the browser API may be used for OAuth2 dance purposes for a > variety of reasons. As we overhaul how we do webapps and per-app cookie > jars and all that, the need for this may be removed, but right now the > email app and the calendar app and probably others have the "mozbrowser" > privilege. They do need this, but they absolutely do not need or want > the ability to inject code into a google.com origin or other origins.
Absolutely. I was suggesting that earlier, adding another permission. -- Paul _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
