Boris Zbarsky a écrit :
Marine wrote:
The webpage have to be able to expose some values/parameters to the
extension.
So I tried to add properties to button, to document or to window
objects, in my webpage.
The problem is that reading those from chrome would be exploitable (by
the webpage).
You can do it if you trust the webpage by looking at the wrappedJSObject
of the thing you're working with, instead of the thing itself. But make
sure you trust the webpage (e.g. that it's served over https from a
server you control).
-Boris
Thanks a lot Boris for your quick reply.
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security