You could make a case for this, but as things stand right now, locally
installed chrome can do anything native code can do. You wouldn't want
to write an application in C++ that downloads and runs code from a
non-local site, and you wouldn't want to write chrome that does this
either. But that's up to the author of the chrome. Chrome is like a
native executable - the user should trust it completely if they're going
to download and install it. This isn't a bug, it's a design decision. We
can't protect users from badly written chrome any more than from badly
written native code.
-Mitch
Alex Fritze wrote:
> Hi,
>
> if I include some non-locally stored js into a chrome file,
>
> <script src="http://www.myserver.com/script.js" />
>
> then the script gets full chrome privileges. Is this a bug? Shouldn't the
> script be restricted depending on where it came from?
>
> Thanks
> alex
