On Tue, Aug 08, 2017 at 10:46:24PM -0600, Eric H. Jung wrote:
> >
> >
> > Isn't this a security disaster waiting to happen analogous to this:
> >   https://bugzilla.mozilla.org/show_bug.cgi?id=1287590
> >
> > Has this been somehow addressed?
> >
> That bug is about iframes. No one in this thread has suggested that you
> inject an iframe into web content. I believe you can inject non-iframe HTML
> and not be subject to the security implications in that bug.

how do you come to this conclusion? On the contrary: the "hostile" webpage
into which you inject your div has unlimitted access to your injected content
Add a nice password input field to your div and the javascript of the webpage
gets the password for free.

The situation is slightly better with an injected iframe because the hostile
webpage can not directly access it. However it can do any number of tricks
like overlaying it (z-index), reading out its visible content by canvass ops, 
replacing it with own iframe so in practice the only difference is that the 
hostile webpage has it slightly more difficult to determine what you are 


Name and OpenPGP keys available from pgp key servers

mobile-firefox-dev mailing list

Reply via email to