In my opinion, common use case for Firebug is developing own sites, not reverse engineering unknown possibly malicious web pages. So default option with disabled firebug for all websites except for localhost would be sufficient for me. If user enables it for some malicious site, it is his problem. It’s like downloading and running unknown app from warez site. Keep it simple, stupid and let the user decide! Now in new Firebug, we are all paying big performance penalties in javascript evaluation (console panel) just for this 0.001% case?

Ok, console panel is maybe not performance bottleneck. I give you another example. I’ve tried to implement Firebug extension which needs to evaluate some javascript in the context of running web page (repeatedly). After struggling with new FF3 security exceptions I’ve ended up using Firebug’s “reimplemented Firebug console and command line” how to communicate with running page and eval something inside it (I would call it “dirty hack” instead). The code is error prone, more than ugly and also pays big performance hit.

Does anyone know better solution how to do this in FF3?
http://github.com/darwin/firequery/blob/2fcd979cd28d5afda00bcdcf57e721c8323e015c/firefox/chrome/content/firequery.js#L110

It seems eval performance is show-stopper here.

Don’t take this too offensive. I admire hard work you guys do on Firebug. Without Firebug the webdevelopers would be still in middle ages. Thank you.