Requesting ability to block scripts by source.

RESOLVED WORKSFORME

Status

SeaMonkey
UI Design
--
enhancement
RESOLVED WORKSFORME
16 years ago
13 years ago

People

(Reporter: stephen hurst, Assigned: Samir Gehani)

Tracking

Trunk
x86
Windows 2000

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

16 years ago
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.9) Gecko/20020311
BuildID:    2002031104

You can block images and/or cookies by domain/site, but scripts will be
automatically called regardless of where they live, if javascript is turned on
at all. This defeats one's other efforts to avoid being tracked by advertisers.
In the exampl below, the script name is a long alphanumeric, looks just like the
names used for "bug" images used for site-visitor tracking. Requesting, in
future version, ability to block scripts by site/domain, or alternatively, at
least a preference item to block third-party scripts.

Reproducible: Always
Steps to Reproduce:
1. Go to http://www.deviantart.com/ . While page is loading, observe in status
line, "Transferring data from ad.doubleclick.net..." even with all variations of
doubleclick domains blocked whenever they are encountered, both images and cookies.
2. Look at page source, find: <script language=Javascript1.1
src="http://ad.doubleclick.net/adj/dclk.deviantart/ros;dcopt=ist;abr=!webtv;sz=468x60;ord=230b270e608bfb6487c521ae66b7c280?">
Check preferences, find no preference to defeat this.
3.

Actual Results:  Always loads script from unwanted third party.

Expected Results:  Well, not necessarily expected, but would like to have an
opt-out.

Comment 1

15 years ago
Sounds good.  I guess this means adding a script manager in addition to image
manager, with an option "Accept scripts that come from the originating server
only" just like there is for images.
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 2

15 years ago
Here's a variation on this theme - a page display is delayed waiting for a
script to be loaded from an ad server:

<script LANGUAGE="JavaScript1.1">
_krdDartInc++;
document.write('<SCRIPT LANGUAGE="JavaScript1.1"
SRC="http://ad.doubleclick.net/adj/mercurynews.news/news;kw=left1;c2=news_homepage;tile='+_krdDartInc+';sz=120x60;ord='+_krdDartOrd+'?"
><\/SCRIPT>');
</SCRIPT>

Seen in various pages at http://www.bayarea.com/

Comment 3

14 years ago
In the light of the nasty JavaScript issues on ebay (fake login pages or faked
recommendation profiles) I would also suggest an option to block the execution
of every JavaScript piece (or - nicer - certain operations like changing form
URLs etc., but that might be too much) in a page if it comes from a certain server.

I think of something structured like the popup window blocker, which is
structured similar.

-FH

Comment 4

14 years ago
This already exists. The kind of users who want this feature can use
about:config and these documents to get just what you propose. 
http://www.mozilla.org/projects/security/components/ConfigPolicy.html
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → WORKSFORME
Product: Core → Mozilla Application Suite
You need to log in before you can comment on or make changes to this bug.