On Wednesday, February 28, 2018 at 7:32:27 PM UTC-6, Ryan Hurst wrote: > On Wednesday, February 28, 2018 at 10:42:25 AM UTC-8, Alex Gaynor wrote: > > If the "fail verification only" option is not viable, I personally think we > > shouldn't expose this to extensions. > > > > I agree, there are far too many ways this will be abused and the cases in > which it would be useful are not worth the negative consequences to the > average browser user, at least in my opinion. > > Ryan Hurst
What new risks would this expose users to that they are not already exposed to via the webRequest permission and the https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/tabs/executeScript API? It seems to me that extensions can already get pretty much full control of the user's browsing experience. Is possibly enabling MITM _really_ any worse than that? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
