| ▲ | TeMPOraL 7 hours ago |
| I'm torn on whether to see this "AI Kill switch" as a win on respecting the users, or something to keep us distractewd while they ship through "Trusted Types" API that sounds like further restriction of end-user computing freedoms. |
|
| ▲ | LiamPowell 7 hours ago | parent | next [-] |
| I would absolutely love to hear your reasoning that leads to type systems being considered a "restriction of end-user computing freedoms". For those that don't know what trusted types are: Simply put, it splits the string type in to unsanitised_string_from_user and safe_escaped_string where unsafe strings can not be used in function parameters that only take a safe string That's heavily simplifying of course, but it's the basic idea. |
| |
| ▲ | TeMPOraL 6 hours ago | parent [-] | | Skimming the API docs on MDN, it makes sure the site vendor gets to run filtering code over anything you'd want to inject via e.g. user script or console, securing it with CSP. I expect this to make user scripts work as well as they do on Chrome now. If there's a workaround, I'd love to hear about it. | | |
| ▲ | duskdozer 3 hours ago | parent | next [-] | | Oh just great. The web is bad enough already, I think I'll have to go live in the woods if userscripts get kneecapped | |
| ▲ | LiamPowell 6 hours ago | parent | prev [-] | | Worst case you just run your userscript before any policies are created, but in most cases it's not going to impact userscripts. |
|
|
|
| ▲ | lastorset 6 hours ago | parent | prev | next [-] |
| You may be thinking of the much-hated "Trusted Computing" initiative. "Trusted" here means that the JavaScript dev picks a sanitizing library they trust, not that Mozilla decides what software is trustworthy. |
| |
| ▲ | TeMPOraL 5 hours ago | parent [-] | | Nah, my issue isn't with users vs. Mozilla, but users vs. "JavaScript dev", specifically the difference of opinion on who should have final say on what gets executed and what doesn't. |
|
|
| ▲ | debugnik 6 hours ago | parent | prev [-] |
| Aren't those just overengineered sanitizers? |
| |
| ▲ | TeMPOraL 6 hours ago | parent [-] | | Question is, can you sidestep or disable them in user scripts or in developer tools, without disabling CSP entirely or doing something even more invasive (and generally precluding use of that browser instance for browsing)? | | |
| ▲ | evilpie 5 hours ago | parent [-] | | We made sure to exclude WebExtensions code from web pages's Trusted Types restrictions enforcement. (Bugs can happen of course) | | |
| ▲ | duskdozer 3 hours ago | parent [-] | | Sorry, so you mean something like Violentmonkey scripts would be unaffected? |
|
|
|
