On 3/17/14 9:25 AM, Benjamin Smedberg wrote:
Isn't this something which pagemod addons and greasemonkey already do?
To some extent. In a lot of cases, those are running with the principal of the page, not with a system principal; that makes a big difference.
Do we not have a safe way now to expose objects and functions to pages (all pages or some pages)?
We have a way that can be safe as long as you're really careful about some things. e.g. if your API takes options objects, you have to realize that you might invoke arbitrary page script any time you touch the options object.
What WebIDL gives you is handling some of those details for you so you don't have to think about them.
Maybe this means we should consider exposing some kind of structured-clone system for calling untrusted code, plus a safer way to call functions which may return arbitrary results?
Yes, on both counts. -Boris _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
