On Wed, May 6, 2015 at 7:02 PM, Ehsan Akhgari <ehsan.akhg...@gmail.com> wrote: > * Restricting this API to resources loaded from a secure origin also doesn't > help in any way in practice. It doesn't address your original concern _at > all_ (since your malicious web site can easily get a certificate and perform > the same annoying operation), and a potential network attacker MITMing your > connection can inject a tiny Flash object and script it. It will be a few > more lines of code for the attacker to write, and they would get a pretty > solid attack for the majority of desktop users, at least.
Flash will go away (to the extent it hasn't already on mobile), this feature won't. We should offer better security than what came before. -- https://annevankesteren.nl/ _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
