Proposal: MailExtensions API to allow UI overlays, but no script injection

John Bieling john.bieling at
Sat Oct 12 13:29:07 UTC 2019

Now before the thread derails, I would like to sum up. I think I
invalidated all arguments raised so far:

*1. Overlay is a code monster*

No its not, you can have a sleek implementation of about 500 lines and
no other place in the code base needs to know about the overlay API. It
is a self contained API. We will of course not use chrome.manifest anymore.

The overlay API just needs the window listener and an xml parser. There
is actually not a big difference between XUL and HTML elements in the
overlay file, just the namespace is different when creating the elements.

*2. Overlay is a security issue*

We simply disallow any JS and ignore any JS when parsing the overlay
file. There is no security issue. After removing all the JS script
stuff, the API will probably be even shorter than 500 lines.

*3. Addons may break due to changes in the Thunderbird UI

That is true and it is the compromise I am asking for. But breaks due to
UI changes are easy to fix, you mostly have to update an ID. And how
often will the UI change, after all that XUL -> HTML transition is done?

My knowledge about webext API is very very low, and I think I will need
10x more time than you to turn (for example) my OverlayManager into a
proof-of-concept experiment. But I will go that extra mile, if you
promise to consider it for core.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the tb-planning mailing list