On Wed, Oct 14, 2015 at 5:08 AM, Michael Henretty <[email protected]> wrote:
> > On Wed, Oct 14, 2015 at 4:30 AM, Luca Greco <[email protected]> > wrote: > >> In this case (the fxos-addon-beacon-scanner) the problem can be solved by >> using the content script just to inject the real beacon-scanner javascript >> code into the page context (e.g. by appending a new tag script) > > > So much for security. Since we have this alternative I feel like we should > just turn off the wrappers for now (or quickly come up with a way to waive > x-rays), otherwise this script injection -> script injection will become a > "best" practice. > Well, there isn't anything too bad about <script> tag injection AFAIK. Unlike disabling wrappers, the <script> tag doesn't have access to privileged extension APIs. The <script> can only communicate with the extension through a facility like postMessage. So it's really not that different from something like Cu.exportFunction. I don't really see any reason why this shouldn't be a recommended solution if you need to access JS properties in the page. I do think that we need to think more about the Xray/isolated world differences and how to bridge them though. People are going to keep finding issues like this. -Bill
_______________________________________________ dev-fxos mailing list [email protected] https://lists.mozilla.org/listinfo/dev-fxos
