On Fri, Feb 14, 2020 at 11:50 AM Dale Harvey <dhar...@mozilla.com> wrote:
> We’re proposing a new mime-type [...]: “x-xpinstall” for WebExtension > search > engines. Example: <link rel=“search” type=“x-xpinstall” href="https:// > [...] This is confusingly similar to "application/x-xpinstall" which we use to trigger extension installs from link clicks. Since standard media-type syntax is "<type>/<subtype>" some authors will tend to fill in the "missing" bit and get it wrong, and others will complain that the syntax is non-standard and broken. Does this code enforce that the .xpi we download and attempt to install is actually a search type and not an arbitrary WebExtension? If any extension type will work then re-using the full application/x-xpinstall is appropriate, but that sounds like it would go against user expectation and might trick users into doing something dangerous. "This page would like to install 'Steal all your data from every page search engine'. OK?" If the code does enforce only search type add-ons will it be confusing to use the generic media-type? Or maybe it's OK anyway, since rel="search" is required and can be taken as requiring that subset. If you _do_ invent a new one shared with other browser vendors, please don't use an "x-" prefix in anything new. https://tools.ietf.org/html/rfc6648 [2012] (hey -- our very own St. Peter) Secure contexts: Yes. > "Yes" meaning "required", I hope. Is this feature enabled by default in sandboxed iframes? Yes, this feature > does not have any impact on sandboxed iframes. > Currently the feature doesn't seem to work in regular frames, only the top-level document, so I don't know why it would work in sandboxed frames. data:text/html,<iframe src=https://www.merriam-webster.com/></iframe> -Dan Veditz _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
