The type attribute on XUL iframe and browser tags is settable to "content" after the element has been added to the DOM tree even though the level of access is fixed once the element has been added. https://developer.mozilla.org/en/XUL/iframe#a-browser.type Developers who do this can then mistakenly load remote websites into xul iframe/browsers as chrome when they believe they are safely loaded as content, creating a security risk for the user. Setting the type attribute on an iframe/browser after being added to the document should throw an error to protect the user and alert the developer to the issue.
Note that the type attribute can be changed later, and is, for example, by the tabbrowser between 'content' and 'content-primary'
summary updated slightly to reflect its just chrome -> content that's the issue.
Summary: setting iframe/browser type attribute after being added should throw error → changing iframe/browser type attribute from chrome to content after being added should throw error
Are we talking log an error to the console, or are we talking throw an exception? I can see doing both, once we have a frameloader...
I'd prefer throwing an exception - it would break some addons but arguably they're broken at the moment in a way. I'm cc'ing Jorge on this in case he has an opinion on addon compatibility.
I agree with making it an exception. Flagging for add-on compat, since we would need to communicate this when implemented.
You need to log in before you can comment on or make changes to this bug.