1148908 - Click to enable JavaScript APIs

Status: UNCONFIRMED

(Firefox :: General, enhancement)

Description

[Lucas Verney [:Phyks]]

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Build ID: 20150305221847

Steps to reproduce:

Hi,

In one of the latest versions, Firefox introduced a mechanism to block Flash by default, and an option "click to enable" to enable Flash plugin on a specific page, in one click (and to eventually remember this choice).

The same behaviour was previously used for some privacy concern APIs such as geolocation and access to webcam / mic (disable by default / one click to enable / remember option).


However, in my opinion, Flash (and external plugins) and the already blocked APIs are not the only APIs which raise privacy conerns. In particular, JavaScript APIs such as:
* access to the clipboard event (to modify copied text, to call a callback on paste)
* WebRTC (which can be used to discover the true IP address of a user behind a proxy, plus the fact that Firefox do not use the configured proxy for WebRTC)
* localStorage / cookies
are raising privacy concerns and could be blocked as well by default (or through an option).

This way, the usual DOM modification (which is mostly harmless and too widely used) would still be working perfectly fine out of the box, but advanced APIs would require user agreement to continue. This would incorporate some of the benefits from NoScript directly in Firefox, avoiding the pain of having to authorize almost every website as the web of today is not usable without JavaScript, and NoScript blocks on a per script basis rather than on a per API basis.

What do you think about it?

Thanks