On Thu, Apr 16, 2015 at 10:30 AM, Frederik Braun <[email protected]> wrote:
> > Running our code in someone else's origin sounds undesired indeed. Not > only because of CSP: What if someone puts this in a frame (or a popup) > and interacts with this JSON viewer? Why iteration with a frame with the viewer could be an issue? > A custom URL sounds more reasonable > - but we have to make sure it doesn't have special powers, in case we > mess up and the JSON viewer can be XSSed. > Yes, my gut feeling is along these lines. > > Maybe we can build a JSON-specific handler in `view-source'? The > view-source scheme has all the security details in place! > You can't put 'view-source' in a frame, object or embed tag. > It's on a unique origin. It has no special privileges. > Also an option (I thinks it's pretty much the same as if there was something like "View Page JSON") > > WDYT? Maybe view-source could show colored HTML for _this_ content type > and prettified JSON for _that_ content type. AFAIR we even had something > like this for XML in the tree - didnt we? > I don't know. Honza > _______________________________________________ > dev-platform mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
