On Friday, September 29, 2017 at 2:32:57 PM UTC-5, Kris Maglione wrote: > Security & privacy concerns: > > This change will allow extensions to inject content into sites which can > (and probably will) cause security and privacy issues. However, it's > already quite easy for malicious or badly-implemented extensions to > create similar issues, and I don't think this change significantly > increases the risk. It may even mitigate it in some cases, since the > alternative of loading or evaling third-party scripts into the content > script sandbox would give them direct access to elevated privileges. > > Per the CSP spec, those injections are assumed to be at the user's > behest, and should therefore take priority over the page author's > preferences.
+1 on this part. As an add-on author, when I need to inject something the page CSP doesn't allow, I can already over-write the page CSP to allow it. But that feels more dangerous! _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
