On 2/27/18 3:26 PM, Hanno Böck via dev-security-policy wrote: > Hi, > > On Tue, 27 Feb 2018 09:20:33 -0700 > Wayne Thayer via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > >> This capability existed in the legacy Firefox extension system that >> was deprecated last year. It was used to implement stricter security >> mechanisms (e.g. CertPatrol) and to experiment with new mechanisms >> such as Certificate Transparency and DANE. > > Wouldn't be a good compromise to say: Extensions can downgrade > security, but they can't upgrade it?
Don't you mean the other way around? Otherwise, we're creating a powerful footgun. Peter
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
