Closed Bug 1122310 Opened 9 years ago Closed 9 years ago

Toggle javascript.enabled preference to false stopped to work for blocking scripts execution

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 998456

People

(Reporter: kmjh, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 5.0; rv:24.0) Gecko/20140105 K-Meleon/74.0
Build ID: 7400

Steps to reproduce:

Load a page with javascript enabled, using any version from 31 (or even earlier) to latest nightly 38.0a1.

Toggle javascript.enabled preference from true to false to stop scripts execution.

Interact with a page with scripts.

The scripts still work.

Example page where can be tested onclick, click event listener and onmouseover for mouse track events:
http://www.geocities.ws/jothache/event_listener.html

Example page where can be tested AJAX (XMLHttpRequest javascript calls):
http://www.w3schools.com/xml/xml_http.asp


Actual results:

After toggling the preference javascript.enabled from true to false, the scripts keep executing when requested by interaction.


Expected results:

The scripts should have been stopped when the preference toggles, as have been until 24 version (if not earlier), where started to fail only with event listeners at this version.

Now, every version from 31 to latest nightly are failing to block javascript execution when toggling javascript.enabled from true to false.

It doesn't disable javascript.

The only way to actually stop scripts execution is to load the page with javascript.enabled set to false.

This wasn't this way in earlier versions.

As for the XMLHttpRequest example page, it represents a huge security issue as the user interaction can be tracked and being sent to the server without user knowledge.

Worst if the user trust on the preference to stop scripts execution as with previous versions, what it isn't actually happening.
Severity: normal → major
OS: Windows 2000 → All
The issue has been confirmed in the Firefox support pages by an administrator and a moderator:
https://support.mozilla.org/en-US/questions/1038877
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
I forgot to mention the obvious, that the opposite also happens with "javascript:code;" format href.

For example, if we have "javascript:alert('hello');" in a href attribute, it used to work when the page has loaded with javascript.enabled set to false and then is toggled to true.

From version 31, stopped to work as well.
This was a purposeful change, pretty much.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.