On Friday, April 13, 2012 9:16:11 PM UTC+1, Justin Dolske wrote: > On 4/13/12 10:49 AM, Tanvi Vyas wrote: > > > One thought I had was requiring that the very first time a user uses a > > developer tool, the user needs to go to Tools->WebDeveloper->Selected > > Devtool. After that, keyboard shortcuts would work for all devtools. The > > developer wouldn't have to do anything else to enable the tools and > > there would be no additional warnings. > > Some sort of interstitial warning roughly like this is where I'd start > thinking from. EG, when you first open the webconsole, a click-thru-able > warning about staying away unless you know what you're doing. Same basic > take as we already have with about:config. > > [Obvious next refinement: only do this when you're about to execute JS > for the first time.]
The trouble is, this affects all JS people. The CSP solution affects virtually no-one. In addition once you've done gone through the warning once, you're unprotected. With the CSP solution, you're more likely to get the warning when you are at risk because generally only at-risk sites will set the CSP flag. Joe. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
