On Tue, Aug 08, 2017 at 10:46:24PM -0600, Eric H. Jung wrote: > > > > > > Isn't this a security disaster waiting to happen analogous to this: > > https://bugzilla.mozilla.org/show_bug.cgi?id=1287590 > > > > Has this been somehow addressed? > > > > That bug is about iframes. No one in this thread has suggested that you > inject an iframe into web content. I believe you can inject non-iframe HTML > and not be subject to the security implications in that bug.
how do you come to this conclusion? On the contrary: the "hostile" webpage into which you inject your div has unlimitted access to your injected content Add a nice password input field to your div and the javascript of the webpage gets the password for free. The situation is slightly better with an injected iframe because the hostile webpage can not directly access it. However it can do any number of tricks like overlaying it (z-index), reading out its visible content by canvass ops, replacing it with own iframe so in practice the only difference is that the hostile webpage has it slightly more difficult to determine what you are displaying. Richard -- Name and OpenPGP keys available from pgp key servers _______________________________________________ mobile-firefox-dev mailing list mobile-firefox-dev@mozilla.org https://mail.mozilla.org/listinfo/mobile-firefox-dev
