UX/Security trade off on seamless posting

[irdan]

Right now if a user types a message and then closes the seamless posting background before submitting the content, the content is dropped directly into the host page.

Obviously this is nice because it means the user won't lose what they just typed. However, it also exposes the users content to the host page directly which may not be what a privacy sensitive user would prefer. One potential middle ground is to clear the contents, but save them to the extension storage before doing so. That also creates usability issues.

This is a trade off between user privacy and UX. Right now it feels like we're doing something unexpected.

[smcgregor]

The "typical user" in the persona profile we generated would likely not understand this problem so we are left to make the decision for him. I think if such users understood threat models, they would probably not mind this feature. But what of the more extreme threat models? Perhaps we should maintain a list of these issues that we will tackle in a fork of the code base meant to address more powerful adversaries? Another option would be a "paranoid mode." Regardless, I would personally prefer the current setting. Anyone else have preferences?