Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Questions About Security Best Practices
14 views
Skip to first unread message
Scott Turner
Apr 27, 2013, 9:28:18 PM4/27/13
to
I am working on an extension to display RSS feeds. The extension opens an HTML page (with a chrome: URI) and then displays the RSS feed items by injecting them into that page.
I've read the page on displaying web content securely:
https://developer.mozilla.org/en-US/docs/Displaying_web_content_in_an_extension_without_security_issues
which points out that this is a security problem, because script in the injected HTML would execute in the chrome context, rather than the content context.
A couple of questions:
(1) The page first suggests that the solution to this is to create a "type=content" <iframe> and display the RSS feed content there. There seem to be several problems with this approach.
First, the <iframe> doesn't resize to fit the content. There are some workarounds for this, but it does make it difficult to incorporate the content into the rest of the web page.
Second, clicking on a link in the <iframe> opens the link inside the iframe, rather than in the enclosing tab.
Does anyone have suggestions for working around these problems -- particularly examples of working code?
(2) The bottom of the page seems to suggest an alternate approach of sanitizing the code using nsIScriptableUnescapeHTML.parseFragment() [now nsIParserUtils.sanitize]. Is this an acceptable solution to the Mozilla Add-on Editors? Why does the sanitizer remove iframes?
Thanks in advance for any help/insight!
-- Scott
I've read the page on displaying web content securely:
https://developer.mozilla.org/en-US/docs/Displaying_web_content_in_an_extension_without_security_issues
which points out that this is a security problem, because script in the injected HTML would execute in the chrome context, rather than the content context.
A couple of questions:
(1) The page first suggests that the solution to this is to create a "type=content" <iframe> and display the RSS feed content there. There seem to be several problems with this approach.
First, the <iframe> doesn't resize to fit the content. There are some workarounds for this, but it does make it difficult to incorporate the content into the rest of the web page.
Second, clicking on a link in the <iframe> opens the link inside the iframe, rather than in the enclosing tab.
Does anyone have suggestions for working around these problems -- particularly examples of working code?
(2) The bottom of the page seems to suggest an alternate approach of sanitizing the code using nsIScriptableUnescapeHTML.parseFragment() [now nsIParserUtils.sanitize]. Is this an acceptable solution to the Mozilla Add-on Editors? Why does the sanitizer remove iframes?
Thanks in advance for any help/insight!
-- Scott
0 new messages