barbaz wrote:Thanks for the explanation. Couple questions:
1) Is even Fx 3.6.28 recent enough that this feature can be considered just as obsolete there as it can with, say, SeaMonkey 2.32.1?
Firefox 3.6.28 has bigger issues to worry about, but yes, I can't see any overwhelming benefit for that version either.
barbaz wrote:
2) Doesn't this put a lot of additional trust in what websites do with XHR?
Can a (Temp-)Allowed site do something crazy like fetch an entire JS file (or a file containing some segment of JS) from a non-(Temp-)Allowed site, read its contents into a variable, and pass the result to eval(), and thus pose a risk that's not there if that XHR were blocked?
Yes it can, but this means either that the temp-allowed site is malicious in itself or that it has been compromised.
In the former case I cannot see any additional benefit from retrieving the payload through XHR. In the latter it could give help work around size restrictions, but using XHR is usually quite verbose so the advantage seems slim. However this, no matter how slim, might actually be an argument in favor of restoring the remove functionality. I'll take a week looking for alternate ways to work around the compatibility issues and see what can be done in next release.
barbaz wrote:
(Plugin objects fetched by XHR and embedded as data URIs would get placeholders, right?)
Nope, but again, this would only help working around size issues. And yet, again, it might be a reason to restore XHR restrictions.