|
| From: | Max Nikulin |
| Subject: | Re: [BUG] Org-protocol bookmarklets in Firefox behaving badly after recent upgrade [9.6.15 (release_9.6.15 @ /usr/share/emacs/29.4/lisp/org/)] |
| Date: | Sat, 28 Dec 2024 23:05:08 +0700 |
| User-agent: | Mozilla Thunderbird |
On 28/12/2024 20:55, Rehan Deen wrote:
Max Nikulin writes:Interestingly, the `org-capture` extension for Firefox from https://github.com/sprig/org-capture-extension continues to work without producing this issue (i.e. the link is captured and the webpage continues to be displayed properly).So Firefox and Chromium behavior content scripts has diverged. Chromium asks permission on behalf of the current web page while Firefox treats as the add-on permission. Likely it is a result of <https://bugzilla.mozilla.org/1792138> "(CVE-2023-25729) Extensions are not prompted before opening external schemes, leading to security issues"
[...]
I suppose it means that we should expect some further disruptive behavior to extensions (not just the insecure bookmarklets) using Org-protocol, but as you indicate it sounds like it is a wider problem.
I like that Firefox associate the external handler permission with the add-on. I am against granting permission to web sites. I do not think that Chromium will follow. Since content scripts working with page elements, they will likely be afraid that page JavaScript may fool content script trying to inject something malicious into external protocol URL.
There is extension API that allows to launch external protocol handler without content scripts. However there are still some corner cases.
| [Prev in Thread] | Current Thread | [Next in Thread] |