http://kb.mozillazine.org/Dev_:_Extending_the_Chrome_Protocol
It states
"This content will have the same system permissions as regular chrome
content, making it possible to create scripts which programmatically
generate XUL pages and stylesheets. Remote chrome can also be implemented."
Am I understanding that correctly that the component loads remote
content with chrome privileges? Just to get around the RDF
implementation limitations for remote XUL? If so, that would of course
be a huge gapping security hole, and should be purged from KB.
In general (not this particular case, I've seen a number of other
cases), I am very concerned about the Mozilla extension community. The
intentional simplicity of XUL and JS combined with the unlimited power
of chrome to access the user's computer are an acid mix. And not even
obviously so. We have a large number of newbie programmers building a
community, which are happy to simply have anything *running*, and
exchanging ideas and copying code from each other, and nobody looks
after it.
--
When responding via mail, please remove the ".news" from the email address.
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
