Canmove, confirm
1,448
edits
Changes
m
Nits
| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Remote script injection.
| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Reject
| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Add-ons can use data-only APIs, but should never download and execute remote code, not even in the scope of a webpage. Any use of the <code><script></code> tag (like <code>createElement("script")</code>) needs to be carefully analyzed.
|- style="vertical-align: top;"
| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | <code><browser></code> or <code><iframe></code> elements with no <code>type</code> attribute, used in privileged documents.
| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Reject
| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | See the [https://developer.mozilla.org/en/XUL/iframe#a-browser.type iframe documentation]. The type must be one of <code>"content"</code>, <code>"content-targetable"</code>, or <code>"content-primary"</code>. This must be done ''before'' anything is loaded on that <code>iframe</code>. If the <code>iframe </code> or <code>browser </code> is used to load only chrome content, and it is clear from the code that it will never load anything else, <code>type="chrome"</code> may be used when necessary.
|- style="vertical-align: top;"
| style="padding: .5ex 1ex 1ex 0; border-bottom: 1px solid black;" | Inserting remote content with <code>innerHTML</code>.
