On Wed, Jun 17, 2015 at 12:02 AM, Tim Guan-tin Chien
<[email protected]> wrote:
> How about the risk of having API users intentionally creating local
> APIs? For example, people can implement support for <meta
> apple-touch-icon> just in Gaia.
>
> I was told this is a concern back in B2G v1.0.
I think that's fine. It's definitely something we should discourage
partners, or browser app developers, from to all of the web. But I
don't think we have many browser apps, and partners will soon be able
to do using addons, so I don't see this as a reason to disallow it on
the Browser API.
If I said otherwise back then, then I was wrong and I'm sorry.
However it might be a good idea to add some security features to the
API. I.e. something like:
browserAPI.executeScript(script, { origin: "http://a.com"; });
and
browserAPI.executeScript(script, { url: "http://a.com/b.html"; });
which would only execute the script if the url/origin match.
/ Jonas
_______________________________________________
dev-platform mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-platform
