> I don't think that's a deal-breaker, it's a one-time mild annoyance at worst. > Make it a flag (pref) handled by Sync, and when you use > Sync to pull in your existing stuff it's a non-issue.
Do you have a number on how many Sync users Mozilla has (vs. total users)? It is not a one-time mild annoyance for anyone that has multiple profiles, or uses lots of computers, or uses multiple profiles. Without any numbers, I don't think we should make calls on how much of an annoyance it is/isn't. For an attack, that is only exploited for 1 website, in a corner case*, you want to set it up so that ALL web developers have to face this annoyance, everytime they use a new profile, or a new computer, or a new firefox install, on ALL websites? Maybe the costs outweigh the benefits ? Further, if you are interested in solving this because it is being actively exploited, why not just disable the address bar self-xss? If telemetry suggests that developer tools are becoming a target, you can disable that later. =dev *Out of the 850M active users on FB, afaik, it is not that many who actually get affected by this On 13 April 2012 13:16, Justin Dolske <dol...@mozilla.com> wrote: > > On 4/13/12 10:49 AM, Tanvi Vyas wrote: > >> One thought I had was requiring that the very first time a user uses a >> developer tool, the user needs to go to Tools->WebDeveloper->Selected >> Devtool. After that, keyboard shortcuts would work for all devtools. The >> developer wouldn't have to do anything else to enable the tools and >> there would be no additional warnings. > > > Some sort of interstitial warning roughly like this is where I'd start > thinking from. EG, when you first open the webconsole, a click-thru-able > warning about staying away unless you know what you're doing. Same basic take > as we already have with about:config. > > [Obvious next refinement: only do this when you're about to execute JS for > the first time.] > > >> I also see this as an issue for people who uninstall/reinstall firefox, >> or for developers who get a new computer, install firefox, and wonder >> why their keyboard shortcuts aren't working. This is bad user experience >> since its not clear to the user what's going on. > > > I don't think that's a deal-breaker, it's a one-time mild annoyance at worst. > Make it a flag (pref) handled by Sync, and when you use Sync to pull in your > existing stuff it's a non-issue. > > Justin > > _______________________________________________ > dev-security mailing list > dev-security@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security