On 15.04.2015 18:54, Jan Odvarko wrote:
> …
> This approach has one security implication, if the page uses "default-src
> 'none'" (or other security restrictions?) - injecting JS into it generates
> warnings: "Content Security Policy: The page's settings blocked the loading
> of a resource at self ("default-src 'none'")."
>
> Another option is introducing specific URL (like:
> chrome://browser/devtools/jsonviewer.xul) that implements the entire app
> and avoids JS injection in the existing content. But direct conversion of
> JSON documents is handy... and perhaps we have yet another option...?
>
> What do you think?
> What approach is the best here? (and without any security concerns)
Running our code in someone else's origin sounds undesired indeed. Not
only because of CSP: What if someone puts this in a frame (or a popup)
and interacts with this JSON viewer? A custom URL sounds more reasonable
- but we have to make sure it doesn't have special powers, in case we
mess up and the JSON viewer can be XSSed.
Maybe we can build a JSON-specific handler in `view-source'? The
view-source scheme has all the security details in place!
You can't put 'view-source' in a frame, object or embed tag.
It's on a unique origin. It has no special privileges.
WDYT? Maybe view-source could show colored HTML for _this_ content type
and prettified JSON for _that_ content type. AFAIR we even had something
like this for XML in the tree - didnt we?
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
