Max Nikulin <maniku...@gmail.com> writes: > Have you considered reporting a bug to Firefox? > > I have tried year old versions of Chromium and Firefox and have > realized that e.g. javascript:a="test" consistently replaces document > content. Chromium still discards expression value in the case of > assignment to "location". So the change is specific to Firefox > (including ESR channel) and perhaps an unintentional side effect of > another fix, likely a security one.
I am not sure what I could add as my knowledge of what constitues correct browser behavior is limited. Feel free to do so on my behalf. >> Interestingly, the `org-capture` extension for Firefox from >> https://github.com/sprig/org-capture-extension continues to work without >> producing this issue (i.e. the link is captured and the webpage >> continues to be displayed properly). > > So Firefox and Chromium behavior content scripts has diverged. > Chromium asks permission on behalf of the current web page while > Firefox treats as the add-on permission. Likely it is a result of > <https://bugzilla.mozilla.org/1792138> > "(CVE-2023-25729) Extensions are not prompted before opening external > schemes, leading to security issues" > > Treatment of external protocol handlers is rather inconsistent in > browsers and it is unstable. Not sure what to say or do about this, but thanks for letting me know. I suppose it means that we should expect some further disruptive behavior to extensions (not just the insecure bookmarklets) using Org-protocol, but as you indicate it sounds like it is a wider problem.
