GoogleCodeExporter
commented
9 years ago Original comment by aurelien...@gmail.com on 13 Jun 2010 at 11:48
- Added labels: Priority-Critical
- Removed labels: Priority-Medium
Open GoogleCodeExporter opened 9 years ago
GoogleCodeExporter
commented
9 years ago Original comment by aurelien...@gmail.com on 13 Jun 2010 at 11:48
GoogleCodeExporter
commented
9 years ago Using evalInSandbox() to evaluate user's script (aka menus) breaks calls to
alert() and prompt() functions (and others). Even if the security is now
stronger, the user experience is lowered by this problem.
At this point, there's 2 possibilities that need to be studied :
1 - having .xul and methods to replace/mimic broken functions and then expose
them to the end-user
2 - as mentionned above, split the menu into a separate add-in for mpm. This
could allow higher privileges execution, but may expose the user to potential
vulnerabilities (if any).
* Currently, the point 2, is doable, but requires some times to implement. But
I don't want to take any risks with the security. Though, the user experience
could be greater with user supplied scripts. This could allow scripts to call
commands to burn playlists, export the current playing song to irc or
twitter... Also, if a separated extension is distributed, it will have to be
maintained and users should be prompted to update it from time to time.
* The problem with point 1 is that I don't know how to get values in return
from a xul window, but this should be doable. Also, it would be only a
work-around and there would be no possibilities to improve the user experience.Original comment by aurelien...@gmail.com on 14 Jun 2010 at 1:41
Original issue reported on code.google.com by
aurelien...@gmail.comon 13 Jun 2010 at 2:37