On Mon, Oct 02, 2017 at 09:07:09PM -0400, Boris Zbarsky wrote:
On 10/2/17 5:35 PM, Kris Maglione wrote:
So far it doesn't look like there's any significant difference on
any talos test from adding [NeedsCallerPrincipal] to
setAttribute/setAttributeNS/Attr.value,
OK. That's a minimum bar, obv
On 10/2/17 5:35 PM, Kris Maglione wrote:
So far it doesn't look like there's any significant difference on any
talos test from adding [NeedsCallerPrincipal] to
setAttribute/setAttributeNS/Attr.value,
OK. That's a minimum bar, obviously, but I would still like us to
measure what the (presumab
On Mon, Oct 02, 2017 at 11:39:21AM -0700, Kris Maglione wrote:
On Mon, Oct 02, 2017 at 11:13:20AM -0400, Boris Zbarsky wrote:
Passing along a JSContext would work. We could have something like
"null means no scripted caller, otherwise caller's compartment is
the part that matters". This relie
On Sun, Oct 01, 2017 at 12:54:26PM -0700, Luke Crouch wrote:
On Friday, September 29, 2017 at 2:32:57 PM UTC-5, Kris Maglione wrote:
Security & privacy concerns:
This change will allow extensions to inject content into sites which can
(and probably will) cause security and privacy issues. Howev
On Mon, Oct 02, 2017 at 11:13:20AM -0400, Boris Zbarsky wrote:
Passing along a JSContext would work. We could have something like
"null means no scripted caller, otherwise caller's compartment is the
part that matters". This relies on no one on the setattr path messing
with the compartment, b
On Mon, Oct 02, 2017 at 07:50:41AM -0700, Daniel Veditz wrote:
On Fri, Sep 29, 2017 at 8:33 PM, Boris Zbarsky wrote:
On 9/29/17 3:32 PM, Kris Maglione wrote:
For instance, the following should all capture the caller principal for
the `src` URL at call time:
document.write(`http://exampl
This is very cool, Geoff! People have been talking about this idea for a
long, so it is great to see it actually running. I'm glad to see chaos
mode being tested, too.
On 2017-10-02 10:11 AM, Geoffrey Brown wrote:
Today the test-verify test task will start running as a tier 2 job.
Look for th
Today the test-verify test task will start running as a tier 2 job.
Look for the "TV" symbol on treeherder, on linux-64 test platforms.
TV is intended as an "early warning system" for identifying the
introduction of intermittent test failures. When a mochitest, reftest,
or xpcshell test file is mo
The mochitest, reftest, and xpcshell test harnesses now support a
--verify option. For example:
mach mochitest
docshell/test/test_anchor_scroll_after_document_open.html --verify
In verify mode, the requested test is run multiple times, in various
"modes", in hopes of quickly finding any intermi
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=951104
Rationale: There's already a myriad of ways to obtain this data
through script. We might as well ship the protocol that both Chrome
and Safari ship in the hope that along with sendBeacon() it decreases
the usage of the slower alternatives; u
On Mon, Oct 2, 2017 at 6:09 PM, Boris Zbarsky wrote:
> On 10/2/17 12:03 PM, Daniel Veditz wrote:
>> Fair enough. Could we propose improvements to the APIs that would make
>> them more usable? For example an object argument to createElement() that
>> contained attribute/value pairs?
>
> This has de
On 10/2/17 12:03 PM, Daniel Veditz wrote:
Fair enough. Could we propose improvements to the APIs that would make
them more usable? For example an object argument to createElement() that
contained attribute/value pairs?
This has definitely been proposed before. Worth checking with Anne to
se
On Mon, Oct 2, 2017 at 8:17 AM, Boris Zbarsky wrote:
> The fact is, direct DOM manipulation with no parser involved is really
> annoying to use.
>
Fair enough. Could we propose improvements to the APIs that would make
them more usable? For example an object argument to createElement() that
con
On 10/2/17 10:50 AM, Daniel Veditz wrote:
As long as direct DOM manipulation works, and is easier
than overwriting (or removing) the page's CSP, can't we just encourage
people to use that mechanism?
The fact is, direct DOM manipulation with no parser involved is really
annoying to use. Compar
On 9/30/17 12:19 AM, Kris Maglione wrote:
I still haven't settled on the details, but I it will probably have to
involve capturing the caller principal from SetAttr hooks. Which would
involve either changing that machinery to pass along a JS context when
invoked by a scripted caller, or using s
On Fri, Sep 29, 2017 at 8:33 PM, Boris Zbarsky wrote:
> On 9/29/17 3:32 PM, Kris Maglione wrote:
>
>> For instance, the following should all capture the caller principal for
>> the `src` URL at call time:
>>
>> document.write(`http://example.com/favicon.ico";>`);
>> div.innerHTML = `http:
Hi everyone,
Here's the list of new issues found and filed by the Desktop Release QA
Team last week, *September 25 - September 29* (week 39).
Additional details on the team's priorities last week, as well as the
plans for the current week are available at:
https://public.etherpad-mozilla
17 matches
Mail list logo
