On Tue, Jun 16, 2015 at 9:20 AM, Paul Rouget <[email protected]> wrote:
> You mean, being able to inject any script into the content? > Afaik, there's no way to do that. That's exactly why we need this API. > Do we want to keep the barrier between the browser and the content? > If so, why? > Well, presumably because we might not want the browser app to be able to XSS every website ever? Maybe we're ok with that, but it's tantamount to running the browser app with system principal, which is something that we currently don't do, so presumably the b2g security people have a thing or two to say about it. _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
