On Wednesday, November 27, 2019 at 4:55:35 PM UTC+1, s.h...@gmail.com wrote:
> How will you leak Geo Location, Camera data, etc, using HTML injecting? I’m
> saying the origin is vulnerable to HTML injection, and origin is not
> malicious.
Thanks, yes, that is a consideration we should care about, of giving broader
permission access and obviously, this is not ideal. I have not added any
mitigation to the implementation yet.
Conversely, there would be another attack to link to attacker spaces on
already-trusted sites (but not top-level) and get silently access too. I think
there would be a trade-off between them. Besides, if a user granted skype.com,
the origin is vulnerable to HTML injection, then when an attacker requests a
permission grant, the users may not have any context for or understanding of
them, that is very confusing and users tend to accept that request because they
are under a trusted context of the top-level origin.
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
