Do privileged and certified apps currently have the ability to perform universal XSS? Because this would give them that, certainly.
On Tue, Jun 16, 2015 at 8:57 AM, Paul Rouget <[email protected]> wrote: > To anything that has access to the browser API. So I guess that > includes privileged and certified apps. > > On Tue, Jun 16, 2015 at 5:44 PM, Ehsan Akhgari <[email protected]> > wrote: > > What contexts are you planning to expose this to? Certified apps? > > > > > > On 2015-06-16 11:24 AM, Paul Rouget wrote: > >> > >> In bug 1174733, I'm proposing a patch to implement the equivalent of > >> Google's webview.executeScript: > >> > >> https://developer.chrome.com/apps/tags/webview#method-executeScript > >> > >> This will be useful to any consumer of the Browser API to access and > >> manipulate the content. > >> > >> For some context: the browser.html project needs access to the DOM to > >> build some sort of tab previews (not a screenshot, something based on > >> colors, headers and images from the page), and we don't feel like > >> adding more and more methods to the Browser API to collect all the > >> information we need. It's just easier to be able to inject a script > >> and tune the preview algorithm in the system app instead of changing > >> the API all the time we need a new thing. It also doesn't sound like a > >> terrible thing to do as other vendors do a similar thing (Android's > >> executeScript, iOS's stringByEvaluatingJavaScriptFromString, and IE's > >> InvokeScript). > >> > >> The API is pretty straight forward: > >> > >>> let foo = 42; > >>> iframe.executeScript(` > >>> new Promise((resolve, reject) => { > >>> setTimeout(() => resolve({foo: ${foo + 1}}), 2000); > >>> }) > >>> `).then(rv => { > >>> console.log(rv); > >>> }, error => { > >>> console.error(error); > >>> }); > >> > >> > >> Any reason to not do that? > >> Any security concerns? > >> Or is there a better way to do that (like a worker)? > >> > >> > >> -- Paul > >> _______________________________________________ > >> dev-platform mailing list > >> [email protected] > >> https://lists.mozilla.org/listinfo/dev-platform > >> > > > > > > -- > Paul > _______________________________________________ > dev-platform mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
