On 4/15/15 12:54 PM, Jan Odvarko wrote:
This approach has one security implication, if the page uses "default-src
'none'" (or other security restrictions?) - injecting JS into it generates
warnings: "Content Security Policy: The page's settings blocked the loading
of a resource at self ("default-src 'none'")."
How does our XML prettyprinter manage this? I seem to recall it
force-loads an XBL binding that provides all the scriptability. Does
that have the same problem with CSP headers? If not, can you take the
same approach here?
-Boris
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
