On 08/01/2025 01:14, Rehan Deen wrote:
I just came across this extension:
https://www.reddit.com/r/emacs/comments/1hvtlsa/the_new_and_only_orgprotocol_chrome_extension_you/
https://addons.mozilla.org/en-US/firefox/addon/emacs-paw/
Do you think this meets some of your needs and avoids the security
issues you've raised?
The code has not been published yet and I have no motivation to extract
it from the .xpi file. I have not tried it in action since I am not
inspired by the description. I do not like popups over page text. My
extension is not ideal, but it covers my use case (quite different from
"paw").
In Firefox, the add-on likely request permission for an org-protocol
handler on behalf of itself and it is OK. In Chrome it depends on API
used by the extension. I am against granting the permission to web
sites, in addition it is annoying to confirm intention for every site.
Ideally, extension should escape characters in page titles and selected
text that may be considered as Org markup. Otherwise there is a chance
to unintentionally execute some code. It requires some user interaction,
but e.g. TAB is used too often.
As to a bug for changed bookmarklet behavior in Firefox, there is almost
no chance that I will file it since I do not use this feature.
