On Tue, Jun 16, 2015 at 2:48 PM, Jonas Sicking wrote:
> On Tue, Jun 16, 2015 at 9:08 AM, Bobby Holley
> wrote:
> > Do privileged and certified apps currently have the ability to perform
> > universal XSS? Because this would give them that, certainly.
>
> The Browser API runs content in a separat
On 17 June 2015 at 15:57, Paul Rouget wrote:
> - access the computed style of the body to update the theme of the browser
>
By theme do you mean like a kind of automatic theme-color? You probably
know the b2g browser currently just uses the metachange event to get
theme-color meta tags for this,
On Wed, Jun 17, 2015 at 4:41 PM, Benjamin Francis wrote:
> On 17 June 2015 at 13:29, Paul Rouget wrote:
>>
>> Extending the API every time we want to do something that goes beyond the
>> API
>> capabilities is painful and slow.
>
>
> Yes I'm acutely aware of this, having done it for the last thre
On 17 June 2015 at 13:29, Paul Rouget wrote:
> Extending the API every time we want to do something that goes beyond the
> API
> capabilities is painful and slow.
Yes I'm acutely aware of this, having done it for the last three and half
years :)
> The executeScript approach makes our
> life a
On Wed, Jun 17, 2015 at 2:06 PM, Benjamin Francis wrote:
> On 16 June 2015 at 16:24, Paul Rouget wrote:
>>
>> In bug 1174733, I'm proposing a patch to implement the equivalent of
>> Google's webview.executeScript:
>>
>> https://developer.chrome.com/apps/tags/webview#method-executeScript
>>
>> Thi
On 16 June 2015 at 16:24, Paul Rouget wrote:
> In bug 1174733, I'm proposing a patch to implement the equivalent of
> Google's webview.executeScript:
>
> https://developer.chrome.com/apps/tags/webview#method-executeScript
>
> This will be useful to any consumer of the Browser API to access and
>
On 16.06.2015 21:41, Paul Rouget wrote:
> On Tue, Jun 16, 2015 at 9:33 PM, Bobby Holley wrote:
>> On Tue, Jun 16, 2015 at 12:28 PM, Paul Rouget wrote:
>>>
>>> The goal is to build a browser in HTML. Not to run a browser in
>>> current Firefox Desktop or in Chrome.
>>
>>
>> Ok. Are you also aiming
On Wed, Jun 17, 2015 at 12:02 AM, Tim Guan-tin Chien
wrote:
> How about the risk of having API users intentionally creating local
> APIs? For example, people can implement support for apple-touch-icon> just in Gaia.
>
> I was told this is a concern back in B2G v1.0.
I think that's fine. It's def
How about the risk of having API users intentionally creating local
APIs? For example, people can implement support for just in Gaia.
I was told this is a concern back in B2G v1.0.
On Wed, Jun 17, 2015 at 5:52 AM, Jonas Sicking wrote:
> On Tue, Jun 16, 2015 at 10:33 AM, Bobby Holley wrote:
>>
On Tue, Jun 16, 2015 at 10:33 AM, Bobby Holley wrote:
> On Tue, Jun 16, 2015 at 10:06 AM, Paul Rouget wrote:
>
>> What would be the right approach to allow such a feature?
>> Would adding a new permission help?
>>
> Well, it sorta depends on what you're trying to accomplish. browser.html is
> sup
On Tue, Jun 16, 2015 at 9:08 AM, Bobby Holley wrote:
> Do privileged and certified apps currently have the ability to perform
> universal XSS? Because this would give them that, certainly.
The Browser API runs content in a separate cookie jar. That means that
the browser API from a security point
On Tue, Jun 16, 2015 at 9:33 PM, Bobby Holley wrote:
> On Tue, Jun 16, 2015 at 12:28 PM, Paul Rouget wrote:
>>
>> The goal is to build a browser in HTML. Not to run a browser in
>> current Firefox Desktop or in Chrome.
>
>
> Ok. Are you also aiming to remove the dependency on XPCOM (i.e. Componen
I may be wrong, but isn't it possible to implement the same thing by
injecting a `postMessage()`-based piece of code in the source code of
the page during load?
I'm doing just that in my HTML5 ebook reader. It's pretty annoying,
because this is pre-ServiceWorker code, but I suspect that this can b
On Tue, Jun 16, 2015 at 12:28 PM, Paul Rouget wrote:
> The goal is to build a browser in HTML. Not to run a browser in
> current Firefox Desktop or in Chrome.
>
Ok. Are you also aiming to remove the dependency on XPCOM (i.e.
Components)? In that case it seems reasonable to swap out the System
Pr
On Tue, Jun 16, 2015 at 9:24 PM, Bobby Holley wrote:
> On Tue, Jun 16, 2015 at 11:45 AM, Paul Rouget wrote:
>>
>> You mentioned XSS. If I understand what you're saying, introducing
>> `executeScript` allows anything that has access to the Browser API to
>> inject code to any web pages. That's exa
On Tue, Jun 16, 2015 at 9:13 PM, Andrew Sutherland
wrote:
> On Tue, Jun 16, 2015, at 02:45 PM, Paul Rouget wrote:
>> You mentioned XSS. If I understand what you're saying, introducing
>> `executeScript` allows anything that has access to the Browser API to
>> inject code to any web pages. That's e
On Tue, Jun 16, 2015 at 11:45 AM, Paul Rouget wrote:
> You mentioned XSS. If I understand what you're saying, introducing
> `executeScript` allows anything that has access to the Browser API to
> inject code to any web pages. That's exactly what it is designed for.
> The Browser API already allow
On Tue, Jun 16, 2015, at 02:45 PM, Paul Rouget wrote:
> You mentioned XSS. If I understand what you're saying, introducing
> `executeScript` allows anything that has access to the Browser API to
> inject code to any web pages. That's exactly what it is designed for.
> The Browser API already allows
On Tue, Jun 16, 2015 at 7:50 PM, Bobby Holley wrote:
> On Tue, Jun 16, 2015 at 10:38 AM, Paul Rouget wrote:
>>
>> I don't how this work (Xray vision).
>
>
> Given what you're doing, it's definitely worth learning about. A basic
> overview is here: https://developer.mozilla.org/en-US/docs/Xray_vis
On Tue, Jun 16, 2015 at 10:38 AM, Paul Rouget wrote:
> I don't how this work (Xray vision).
>
Given what you're doing, it's definitely worth learning about. A basic
overview is here: https://developer.mozilla.org/en-US/docs/Xray_vision
For more detail and a bigger-picture view of why this is a
I don't how this work (Xray vision).
Code, in the child process, is executed this way:
+let sandbox = new Cu.Sandbox(content, {
+ sandboxPrototype: content,
+ wantXrays: false,
+ sandboxName: "browser-api-execute-script"
+});
+
+let sandboxRv = Cu.evalInSandbox(script,
On Tue, Jun 16, 2015 at 10:21 AM, smaug wrote:
> What is the context where the scripts would run? In the page or something
> more like a TabChildGlobal (the child side of a message manager)
> but without chrome privileges?
This is also worth emphasizing - without Xray Vision (which you can't ha
On Tue, Jun 16, 2015 at 10:06 AM, Paul Rouget wrote:
> What would be the right approach to allow such a feature?
> Would adding a new permission help?
>
Well, it sorta depends on what you're trying to accomplish. browser.html is
supposed to be creating a web browser using only "the web", right?
What is the context where the scripts would run? In the page or something more
like a TabChildGlobal (the child side of a message manager)
but without chrome privileges?
On 06/16/2015 06:24 PM, Paul Rouget wrote:
In bug 1174733, I'm proposing a patch to implement the equivalent of
Google's we
What would be the right approach to allow such a feature?
Would adding a new permission help?
On Tue, Jun 16, 2015 at 6:32 PM, Bobby Holley wrote:
> On Tue, Jun 16, 2015 at 9:20 AM, Paul Rouget wrote:
>>
>> You mean, being able to inject any script into the content?
>> Afaik, there's no way to d
On Tue, Jun 16, 2015 at 9:20 AM, Paul Rouget wrote:
> You mean, being able to inject any script into the content?
> Afaik, there's no way to do that. That's exactly why we need this API.
> Do we want to keep the barrier between the browser and the content?
> If so, why?
>
Well, presumably becaus
You mean, being able to inject any script into the content?
Afaik, there's no way to do that. That's exactly why we need this API.
Do we want to keep the barrier between the browser and the content?
If so, why?
On Tue, Jun 16, 2015 at 6:08 PM, Bobby Holley wrote:
> Do privileged and certified app
Do privileged and certified apps currently have the ability to perform
universal XSS? Because this would give them that, certainly.
On Tue, Jun 16, 2015 at 8:57 AM, Paul Rouget wrote:
> To anything that has access to the browser API. So I guess that
> includes privileged and certified apps.
>
>
To anything that has access to the browser API. So I guess that
includes privileged and certified apps.
On Tue, Jun 16, 2015 at 5:44 PM, Ehsan Akhgari wrote:
> What contexts are you planning to expose this to? Certified apps?
>
>
> On 2015-06-16 11:24 AM, Paul Rouget wrote:
>>
>> In bug 1174733,
What contexts are you planning to expose this to? Certified apps?
On 2015-06-16 11:24 AM, Paul Rouget wrote:
In bug 1174733, I'm proposing a patch to implement the equivalent of
Google's webview.executeScript:
https://developer.chrome.com/apps/tags/webview#method-executeScript
This will be us
In bug 1174733, I'm proposing a patch to implement the equivalent of
Google's webview.executeScript:
https://developer.chrome.com/apps/tags/webview#method-executeScript
This will be useful to any consumer of the Browser API to access and
manipulate the content.
For some context: the browser.html
31 matches
Mail list logo