I suspect that one of {biesi/bz/brian} knows the answer to this, but
the issue is of general enough interest that I'm posting here.In https://bugzilla.mozilla.org/show_bug.cgi?id=696662 we're debating adding the capability for extensions to read/modify/ delete HTTP auth headers in requests during http-on-modify-request. There's been some question about whether this needs a full security review or not. My basic hunch is that we already allow extensions massive enough powers (rm -rf /, etc) that this is a fairly trivial addition to their powers (they can already modify cookie headers, for instance), so I'd think that we don't need to involve the sec team here. But perhaps those with more experience with sec reviews know better than I do. Jason _______________________________________________ dev-tech-network mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-network
