On Tue, Jun 16, 2015 at 9:08 AM, Bobby Holley <[email protected]> wrote: > Do privileged and certified apps currently have the ability to perform > universal XSS? Because this would give them that, certainly.
The Browser API runs content in a separate cookie jar. That means that the browser API from a security point of view is no more capable than systemXHR. I.e. it's even less capable than cross-site XHR since it doesn't use the user's normal cookies. I.e. the Browser API is just a systemXHR API plus a really good implementation of a web rendering engine in JS. That effectively means that this is not universal XSS. The browser API can only be used to XSS things that it itself has rendered. / Jonas _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
