You mean, being able to inject any script into the content? Afaik, there's no way to do that. That's exactly why we need this API. Do we want to keep the barrier between the browser and the content? If so, why?
On Tue, Jun 16, 2015 at 6:08 PM, Bobby Holley <bobbyhol...@gmail.com> wrote: > Do privileged and certified apps currently have the ability to perform > universal XSS? Because this would give them that, certainly. > > On Tue, Jun 16, 2015 at 8:57 AM, Paul Rouget <p...@mozilla.com> wrote: >> >> To anything that has access to the browser API. So I guess that >> includes privileged and certified apps. >> >> On Tue, Jun 16, 2015 at 5:44 PM, Ehsan Akhgari <ehsan.akhg...@gmail.com> >> wrote: >> > What contexts are you planning to expose this to? Certified apps? >> > >> > >> > On 2015-06-16 11:24 AM, Paul Rouget wrote: >> >> >> >> In bug 1174733, I'm proposing a patch to implement the equivalent of >> >> Google's webview.executeScript: >> >> >> >> https://developer.chrome.com/apps/tags/webview#method-executeScript >> >> >> >> This will be useful to any consumer of the Browser API to access and >> >> manipulate the content. >> >> >> >> For some context: the browser.html project needs access to the DOM to >> >> build some sort of tab previews (not a screenshot, something based on >> >> colors, headers and images from the page), and we don't feel like >> >> adding more and more methods to the Browser API to collect all the >> >> information we need. It's just easier to be able to inject a script >> >> and tune the preview algorithm in the system app instead of changing >> >> the API all the time we need a new thing. It also doesn't sound like a >> >> terrible thing to do as other vendors do a similar thing (Android's >> >> executeScript, iOS's stringByEvaluatingJavaScriptFromString, and IE's >> >> InvokeScript). >> >> >> >> The API is pretty straight forward: >> >> >> >>> let foo = 42; >> >>> iframe.executeScript(` >> >>> new Promise((resolve, reject) => { >> >>> setTimeout(() => resolve({foo: ${foo + 1}}), 2000); >> >>> }) >> >>> `).then(rv => { >> >>> console.log(rv); >> >>> }, error => { >> >>> console.error(error); >> >>> }); >> >> >> >> >> >> Any reason to not do that? >> >> Any security concerns? >> >> Or is there a better way to do that (like a worker)? >> >> >> >> >> >> -- Paul >> >> _______________________________________________ >> >> dev-platform mailing list >> >> dev-platform@lists.mozilla.org >> >> https://lists.mozilla.org/listinfo/dev-platform >> >> >> > >> >> >> >> -- >> Paul >> _______________________________________________ >> dev-platform mailing list >> dev-platform@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-platform > > -- Paul _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
