I was thinking (in bug 491243) that channels shouldn't inherit chrome
privileges ever unless they are data, javascript or chrome channels
(or that sort).
For example, it is possible for any web site to run in an elevated
context(and do practically anything to the user's computer) if you
type the following in the error console command-line:
window.openDialog("http://www.google.com";);
Is that right? It's one thing to allow running arbitrary scripts that
are privileged, I really don't think channels should inherit the
context though...
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
