window.ipfs all_frames?

[alanshaw]

Currently the content script that injects window.ipfs is set to inject itself in all_frames. This means that if a page has an iframe on it, it will also get a window.ipfs object.

https://github.com/ipfs-shipyard/ipfs-companion/blob/b968f01358788d9f581cd70b0ec5eb13b5ad3f05/add-on/manifest.json#L64

What is everyone feeling on dialing this down to false before we release, and then potentially dialing it up in the future if it's requested? I'm thinking performance and security might be a concern.

[RangerMauve]

How much overhead is there really with injecting it?
Iframes will have security scoped to to the origin within the iframe, right? I don't think there's any security issues there other than the ones that exist for having window.ipfs at all.

[lidel]

I've seen a short-lived "the webpage is slowing down your browser" warning a few times, but it was after extension was reloaded via R in web-ext in developer mode.

Not sure it happens "in production", but I'd say we should keep "all_frames": true enabled in dev channel for now, so that if performance problem exists, people can report it.

As for disabling it before stable release, I added decision to release checklist at #347

[alanshaw]

roger roger