Yes, chrome uses openDialog, because we can vouch for the contents of
the chrome directory, since it is part of the browser and subject to
code review. We have no such guarantees for content coming in over the
Web, so that content doesn't get to use openDialog.
-Mitch
Neil wrote:
> Mitchell Stoltz wrote:
>
>> openDialog allows a nasty exploit, which is why it can't be called
>> from content.
>
>
> Presumably this nasty exploit is something that chrome often wants to
> do... I notice many calls to window.openDialog( chromeURL, '_blank',
> 'chrome,all,dialog=no' ) in the chrome, I know that window.open doesn't
> support the useful "all" keyword...
>
