<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED WONTFIX - Scripts injected from an isolated world should bypass a page's CSP"
href="https://bugs.webkit.org/show_bug.cgi?id=104305#c6">Comment # 6</a>
on <a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED WONTFIX - Scripts injected from an isolated world should bypass a page's CSP"
href="https://bugs.webkit.org/show_bug.cgi?id=104305">bug 104305</a>
from <span class="vcard"><a class="email" href="mailto:dbates@webkit.org" title="Daniel Bates <dbates@webkit.org>"> <span class="fn">Daniel Bates</span></a>
</span></b>
<pre>I marked this issue RESOLVED WONTFIX because I do not feel we should fix this bug as it encourages a bad idiom. I agree with Adam Barth's remarked in <a href="show_bug.cgi?id=104305#c1">comment #1</a>, we want extension authors to use scripts included in their extension bundle as opposed to programmatically injecting inline script that could make the page susceptible to an XSS vulnerability.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>