Proposal: MailExtensions API to allow UI overlays, but no script injection

John Bieling john.bieling at gmx.de
Thu Oct 10 17:35:43 UTC 2019


In the last days I tried to understand the reasons behind the latest
announcements regarding legacy extensions. The reasons given so far are

- security issues
- stability issues (in terms of addons breaking so often, because stuff
changed in Thunderbird)

WebExtensions improve these things, but also restrict addon authors
creativity substantially. We would need to ask for every bit of UI
manipulation and we will depend on your good will. This is not a healthy
relationship. I would like to bring back that creativity without
compromising security.

Once the transition from XUL to HTML has been completed, I assume, the
Thunderbird UI will be stable again. So "overlaying" the Thunderbird UI
should not cause so many stability issues. The current legacy overlay
mode allows to inject scripts, which is the cause of the security issue.

The new Overlay API should ignore any scripts and be invoked from the
background.js like so:

browser.overlay.registerOverlay("chrome://messenger/content/addressbook/abNewCardDialog.xul",
"overlays/abNewCardWindow.xul");

and it should fire an onload event or something like that if any of the
registered overlays has been injected and we can than further manipulate
the DOM with wathever is allowed in WebExtension.

That would get rid of the need to write hundreds of different UI APIs.
Overlaying is not a bad thing, it is a very powerful and easy way to
extend a given UI.

Please give us back the power we deserve.

John



More information about the tb-planning mailing list