On Fri, Aug 7, 2009 at 12:50 AM, Aaron Boodman<[email protected]> wrote: > We already have a contributor who has volunteered to implement > something close to b): > http://code.google.com/p/chromium/issues/detail?id=12465. It could > probably be adapted to also allow executing short snippets of code in > the page context and return serialized results. > > The fact that you accidentally XSS'd yourself on your first try and > implementing this technique (see below) definitely concerns me.
[...] > You probably don't mean to be eval()'ing code from the interwebs in a > privileged extension context, right? ;-). JSON.parse would probably be > a better choice here. In general, this is a tricky line to walk. We want to let extensions interact with the page, but we want to make it hard for folks to XSS themselves. What do you think about not providing a return value from the API? This discussion reminds me of the thought process we went through when we originally designed the content script / isolated world mechanism. Perhaps we should wait for more implementation experience before adding new APIs immediately. It's certainly easier to add APIs than it is to remove them. :) Adam --~--~---------~--~----~------------~-------~--~----~ Chromium Developers mailing list: [email protected] View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~----------~----~----~----~------~----~------~--~---
