Closed stoically closed 4 years ago
Implemented and released as v1.5.7.9 - tho, not possible in Chrome due to API limitations. Also dropped the requirement for unsafe-eval
in Firefox.
Currently content scripts in Firefox are not subject to the extension page CSP, so it's actually not really safer, hence running as content script was reverted. This will change in the future in Firefox, as described in the links mentioned in #16, which might lead to reconsideration of this approach. As simple security measure the script that runs riot web now removes all APIs which aren't needed:
If running Riot Web somehow as content script would be possible it could increase security by a great deal. Might be hard to do because of Xray vision.