On Fri, Aug 7, 2009 at 1:18 AM, Adam Barth<[email protected]> wrote: > On Fri, Aug 7, 2009 at 12:50 AM, Aaron Boodman<[email protected]> wrote: >> We already have a contributor who has volunteered to implement >> something close to b): >> http://code.google.com/p/chromium/issues/detail?id=12465. It could >> probably be adapted to also allow executing short snippets of code in >> the page context and return serialized results. >> >> The fact that you accidentally XSS'd yourself on your first try and >> implementing this technique (see below) definitely concerns me. > > [...] > >> You probably don't mean to be eval()'ing code from the interwebs in a >> privileged extension context, right? ;-). JSON.parse would probably be >> a better choice here. > > In general, this is a tricky line to walk. We want to let extensions > interact with the page, but we want to make it hard for folks to XSS > themselves. What do you think about not providing a return value from > the API? > > This discussion reminds me of the thought process we went through when > we originally designed the content script / isolated world mechanism. > Perhaps we should wait for more implementation experience before > adding new APIs immediately. It's certainly easier to add APIs than > it is to remove them. :)
+2 - a --~--~---------~--~----~------------~-------~--~----~ Chromium Developers mailing list: [email protected] View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~----------~----~----~----~------~----~------~--~---
