Quick question for you… When a XUL file in an installed Firefox addon pulls in a remote script via HTTP:
e.g. inside firefoxOverlay.xul: <script src="http://example.com/extensions/script.js?ff"/> ...is that script accorded the permissions of the chrome:// security zone? If so, that can enable a remote EoP if there's a MiTM attack, right? Thanks! -Eric _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security