W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: Removal of the note about extensions

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 25 Feb 2014 10:00:06 -0800
Message-ID: <530CDA26.1070208@mozilla.com>
To: Mitar <mmitar@gmail.com>, Mike Pomax Kamermans <pomax@nihongoresources.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 2/24/2014 10:44 PM, Mitar wrote:
> I would really love to see bookmarklets explicitly mentioned.
> Otherwise people made arguments that bookmarklets are not add-on or
> extensions. For example, see this comment:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=866522#c15
>
> Simon is arguing that bookmarklets should not be allowed to inject
> additional scripts into the page becase they are not extensions.

I'm pretty sure Simon is arguing in favor of bookmarklets, as better 
than the alternative (for the bookmarklet author) of authoring/packaging 
the same code in a different kind of extension/add-on for each browser.

The scripts he was saying should still be blocked were insecurely loaded 
(http) scripts on a securely loaded (https) page. Firefox now blocks 
that whether or not a page has a CSP and really has nothing to do with 
this conversation.

-Dan Veditz
Received on Tuesday, 25 February 2014 18:00:25 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC