Marine wrote: > The webpage have to be able to expose some values/parameters to the > extension. > So I tried to add properties to button, to document or to window > objects, in my webpage.
The problem is that reading those from chrome would be exploitable (by the webpage). You can do it if you trust the webpage by looking at the wrappedJSObject of the thing you're working with, instead of the thing itself. But make sure you trust the webpage (e.g. that it's served over https from a server you control). -Boris _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
