On Thu, Sep 10, 2009 at 12:31 AM, Aaron Boodman <[email protected]> wrote:
> On Thu, Sep 10, 2009 at 12:22 AM, Adam Barth<[email protected]> wrote:
>> It's interesting that this code sample uses the string form of
>> setTimeout to inject script into the main world. Are we sure we want
>> to change that to compile the string argument in the isolated world?
>
> That makes sense to me... what are you concerned about?
This is purely an API design issue. Either choice is fine for
security. If we change the string form of setTimeout from compiling
in the main world to compiling in the isolated world, we should give
folks a clean API for running scripts asynchronously in the main world
instead of making them use JavaScript URLs or createElement("script").
My question is whether you'd still like me to make that change.
(Maybe laziness is tricking me into thinking it might be a good idea
to leave as-is to enable use cases like in this thread.)
Adam
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Chromium-extensions" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/chromium-extensions?hl=en
-~----------~----~----~----~------~----~------~--~---
