On Tue, Jun 16, 2015, at 02:45 PM, Paul Rouget wrote: > You mentioned XSS. If I understand what you're saying, introducing > `executeScript` allows anything that has access to the Browser API to > inject code to any web pages. That's exactly what it is designed for. > The Browser API already allows plenty of things. And when you have > access to the Browser API, you most certainly have access to other > critical APIs (bluetooth, file system, …).
The other critical APIs are explicitly requested separately. It seems like it's worth making this one a separate privilege too. Or we run into the Android problem of "I need this permission for this reasonable thing, but it also grants me access to do all these sketchy things, so what are you gonna do?" Currently the browser API may be used for OAuth2 dance purposes for a variety of reasons. As we overhaul how we do webapps and per-app cookie jars and all that, the need for this may be removed, but right now the email app and the calendar app and probably others have the "mozbrowser" privilege. They do need this, but they absolutely do not need or want the ability to inject code into a google.com origin or other origins. Andrew _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
