On Mon, Oct 02, 2017 at 07:50:41AM -0700, Daniel Veditz wrote:
On Fri, Sep 29, 2017 at 8:33 PM, Boris Zbarsky <bzbar...@mit.edu> wrote:
On 9/29/17 3:32 PM, Kris Maglione wrote:
For instance, the following should all capture the caller principal for
the `src` URL at call time:
document.write(`<img src="http://example.com/favicon.ico";>`);
div.innerHTML = `<img src="http://example.com/favicon.ico";>`;
img.setAttribute("src", "http://example.com/favicon.ico";);
img.src = "http://example.com/favicon.ico";;
Do you _need_ to make all those ways work? I'm especially worried about
the parser ones. As long as direct DOM manipulation works, and is easier
than overwriting (or removing) the page's CSP, can't we just encourage
people to use that mechanism?
We do if we want Chrome parity, yes.
But I also have another motivation for wanting to make this as comprehensive
as possible. I'd like to make web-accessible extension URLs loadable only by
extension callers, to reduce the fingerprinting risk. Web content would still
be able to fingerprint based on content injected into pages, but they wouldn't
be able to poll for extension IDs.
There's already some risk of breaking extensions that inject scripts into the
page context if we do that. The risk goes up a lot more if we also don't
support things like innerHTML and insertAdjacentHTML.
document.write, though... To be honest, I'd be perfectly happy to forbid
content scripts from using document.write altogether, if I could get away with
it.
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
