Open Bug 1536152 Opened 2 years ago Updated 11 months ago

Restrict JS from running within the Picture-in-Picture window <xul:browser>


(Toolkit :: Video/Audio Controls, enhancement, P3)





(Reporter: mconley, Assigned: mconley)


(Blocks 1 open bug)


Per a discussion with ehsan and Nika, we feel like it'd be prudent to ensure that content JS can never run in the about:blank document that we load the cloned <video> element in.

Assignee: nobody → mconley
Priority: P1 → P3

What is the risk if we don't fix this?

Flags: needinfo?(mconley)

This is defense-in-depth work. With what we currently do with the cloned video, I don't think there's currently any risk here, but it'd just be good hygiene to do this.

Flags: needinfo?(mconley)
Blocks: 1532675
No longer blocks: 1527926
Blocks: videopip
No longer blocks: 1532675
You need to log in before you can comment on or make changes to this bug.