|
|
|
|
|
|
by rubbingalcohol
4603 days ago
|
|
|
If all of the Javascript code and application functionality is bundled into the add-on, it's trivial to avoid XSS. There's no "site" to script into via the URL, and rendering of dynamic elements can be done via a sandboxed iFrame, preventing any scripts from running within dynamic data. This is fairly basic security that any add-on developer should be aware of: http://developer.chrome.com/apps/sandboxingEval.html "XSS isn't the only way either." That's about as illuminating as saying "something bad could happen." No one is saying JavaScript or browser security is perfect, but if you actually know what you're doing, it can be done properly. The original "JavaScript security is doomed" Matasano article is extremely out of date at this point, and yet people keep referring to it like it's gospel. |
|
|