- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Tue, 25 Feb 2014 10:00:06 -0800
- To: Mitar <mmitar@gmail.com>, Mike Pomax Kamermans <pomax@nihongoresources.com>
- CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 2/24/2014 10:44 PM, Mitar wrote: > I would really love to see bookmarklets explicitly mentioned. > Otherwise people made arguments that bookmarklets are not add-on or > extensions. For example, see this comment: > > https://bugzilla.mozilla.org/show_bug.cgi?id=866522#c15 > > Simon is arguing that bookmarklets should not be allowed to inject > additional scripts into the page becase they are not extensions. I'm pretty sure Simon is arguing in favor of bookmarklets, as better than the alternative (for the bookmarklet author) of authoring/packaging the same code in a different kind of extension/add-on for each browser. The scripts he was saying should still be blocked were insecurely loaded (http) scripts on a securely loaded (https) page. Firefox now blocks that whether or not a page has a CSP and really has nothing to do with this conversation. -Dan Veditz
Received on Tuesday, 25 February 2014 18:00:25 UTC