On 4/15/15 12:54 PM, Jan Odvarko wrote:
This approach has one security implication, if the page uses "default-src 'none'" (or other security restrictions?) - injecting JS into it generates warnings: "Content Security Policy: The page's settings blocked the loading of a resource at self ("default-src 'none'")."
How does our XML prettyprinter manage this? I seem to recall it force-loads an XBL binding that provides all the scriptability. Does that have the same problem with CSP headers? If not, can you take the same approach here?
-Boris _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform