Closed Bug 236839 Opened 21 years ago Closed 6 years ago

Disabling JavaScript should not prevent JavaScript contained in chrome XBL from running

Categories

(Core :: XBL, enhancement)

Product:
Core
Component:
XBL
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: glazou, Unassigned)

References

Details

The editor disables JavaScript because it makes no sense to edit a dynamic document. That also disables the execution of all JavaScript code contained in XBL bindings, wherever these bindings come from, chrome or not. In particular, the constructors/destructors of the bindings are not executed... This is a blocker for the implementation of templates in Composer. I could use workarounds for methods and handlers, but hardly for constructors and destructors. And XBL remains the simplest solution to do that; the cost of a c++ implementation is prohibitive in comparison with the XBL solution. It is then proposed to enable JavaScript code contained in chrome XBL bindings attached through a chrome stylesheet. Given the existence of bug 208864, I think this mechanism should not be limited to the editor, and the browser should keep running XBLs when they come from the chrome even if JS is disabled.
So to summarize the discussion we've had up to now, as I understand it: 1) Disabling JS for the document and disabling JS for the nsJSContext should not be the same thing. Editor wants to do the former not the latter (it does the latter now). 2) The nsJSContext api for compiling/evaluating/etc scripts should always take an nsIPrincipal for the caller and only use the ScriptGlobalObject principal if the caller doesn't pass one. 3) The "JS disabled for the document" check should allow execution of JS with chrome principals. 4) XBL should pass in principals as needed. I'm happy to do steps 2 and 4, but I'm not quite sure what people would like to do for step 1, and step 3 yet.....
I don't think that's quite what we agreed on (unless I missed some emails). I don't think we should have more than one "JS is disabled" flag per document/context, we need another flag that's separate from whether JS is enabled or not that just tells if the document is "interactive" or not, and that affects much more than just JS execution (link handling, form submission, etc). I'd like to first settle on the two separate "states" we want. I proposed adding an "interactive" property to nsIDocument (i.e. IsEnabled() and SetIsEnabled(PRBool)), can we agree on this so far? As for #3, I don't think we want that, if JS is disabled, JS is disabled, no matter who calls it. IMO.
Hmm.. that is what we'd come to, yes. My apologies for misremembering. So with your proposal, the situation, as far as I can tell, is as follows: PROPOSED ARCHITECTURE: 1) JS can be disabled on nsJSContext 2) JS can be disabled via prefs; security manager handles this 3) Document can be non-interactive With those three settings all sort of orthogonal to each other. The behavior we are proposing is then: 1) If JS is disabled on nsJSContext, no JS executes, period. 2) If JS is enabled on nsJSContext but the document is non-interactive, only execute JS that's coming from a chrome principal (fixes composer's issues). 3) If JS is enabled on nsJSContext and the document is interactive, still allow chrome JS execution no matter what the user prefs are set to (fixes XBL form control issues and bug 208864). The only issue with all that is that <marquee> would animate in composer with that proposal. This can probably be solved by just setting the -moz-binding on it to some other value in the editor's stylesheets. I'm in favor of SetInteractive() and Interactive() myself (rather than enabled). Seems to describe the situation more clearly....
So that wouldn't solve the issue for mail? I remember a mail bug (don't have the number right now) where context menus on scrollbars weren't disabled on Mac because the XBL JS for the scrollbars didn't run unless you enabled JS in mails. Or would mail use the non-interactive setting? (I'm asking because from your proposal it seems non-interactive disables some stuff that mail might want enabled) The scrollbar bug got fixed in some other way btw, so it's probably a FIXED bug.
(In reply to comment #3) > The only issue with all that is that <marquee> would animate in composer with > that proposal. Does text-decoration:blink blink in composer? if it does, why should marquee not animate?
Because it's possible to edit blinking text but not really possible to edit moving text? ;)
Um, I don't know where I pulled that IsEnabled/SetEnabled from, I meant to say IsInteractive/SetInteractive. I think I'd prefer IsInteractive() over just Interactive, but I think I can deal either way :-)
Blocks: 240187
One issue here.... If the XBL JS is compiled with a chrome principal, does that mean that a page can call a method on the binding and have it execute with chrome priveleges? If so, we need to carefully audit all methods that are exported on chrome bindings that content can load.
Note previous discussion in bug 59701
Blocks: 59701
Blocks: 91779
Blocks: 290219
Any chance of reviving work on this bug? It's blocking XUL error pages in addition to some other interesting bugs.
This bug doesn't really affect error pages in any way. Whoever added that dependency is a little confused. This bug _is_ important, and there _is_ interest in working on it. It's not clear what should happen here, however, and it's a hard problem to solve, in general, without opening up security holes. We're probably going to try to solve it in the 1.9 cycle, though.
No longer blocks: 290219
Boris, I've just run into this problem (or something extremely similar) during my rewrite of Image Toolbar for Firefox. Asqueella pointed out this bug and something occurred to me that may be relevent. Currently, I'm using nsIStyleSheetService to overlay custom CSS (which includes XBL bindings) onto content documents. This has the advantage of making my code extremely efficient and work in 100% of the cases it should (AFAIK). With JavaScript disabled, XBL event JavaScript fails to fire, which means that essentially, my extension is rendered useless. If you're working on this in the future then I can hackaround or put up with the emails until then. Possible suggestion: If CSS (w/XBL) is being inserted from the chrome, it would make sense to me if at some point during that insertion it was placed inside a wrapper (if that even makes sense in this context!) and executes in the chrome scope. It seems that if code is being injected from chrome then it should retain that scope (and security access) so long as it's unmodified. Making sure it's inserted in this way would probably simplify this issue somewhat. Disclaimer: I'm hardly an authority on Mozilla, C++ or security, but it would make sense to me if this bug could be partially fixed that way.
> and executes in the chrome scope. And this is the part that's got security hole potential like no tomorrow... Especially if the page can trick said XBL on operating on whatever content the page passes it. There's the separate issue that if the XBL is on the chrome wrapper (so has chrome privileges), then the unprivileged page can't call those XBL methods. Which is very undesirable in a lot of cases.
(In reply to comment #13) > There's the separate issue that if the XBL is on the chrome wrapper (so has > chrome privileges), then the unprivileged page can't call those XBL methods. > Which is very undesirable in a lot of cases. If that is ever allowed, we need to have some security review of the XBL code so that unpriv. code can't trick the chrome xbl into executing stuff with chrome privs (like my recent PFS code injection bug).
Depends on: 293065
(In reply to comment #13) > > and executes in the chrome scope. > > And this is the part that's got security hole potential like no tomorrow... > Especially if the page can trick said XBL on operating on whatever content the > page passes it. > Notice that the very popular (and loved by Asa) GreaseMonkey extension (and its children, like Patyplus) doesn't work when/where JS is disabled. FlashBlock (a Macromedia Flash content blocker) doesn't work either, and this is in my opinion less acceptable because someone who wants to block Flash selectively on some pages may reasonably want to prevent JavaScritp execution as well. Both extensions use XBL to modify page content and inject scripts. They need JS XBL-injected by the chrome to run even if JS is disabled.
(In reply to comment #13) > > and executes in the chrome scope. > > And this is the part that's got security hole potential like no tomorrow... > Especially if the page can trick said XBL on operating on whatever content the > page passes it. > Notice that the very popular (and loved by Asa) GreaseMonkey extension (and its children, like Patyplus) doesn't work when/where JS is disabled. FlashBlock (a Macromedia Flash content blocker) doesn't work either, and this is in my opinion less acceptable because someone who wants to block Flash selectively on some pages may reasonably want to prevent JavaScritp execution as well. Both extensions use XBL to modify page content and inject scripts. They need JS XBL-injected by the chrome to run even if JS is disabled.
Blocks: 228767
Bug 159932 either dependency or duplicate? "disabling javascript in browser doesn't allow chrome:// to add eventListners to window"
Neither dep nor dup.
We need to do a bunch of XBL work for 1.9, and this bug is just part of that lot. cc'ing peterv and sicking. This bug really needs a new assignee. /be
Target Milestone: --- → mozilla1.9alpha
What I think we should do for now (until we dare go for bug 59701) is to let JS from chrome XBL run even when JS is disabled, but with page privileges. This is how XBL behaves when JS is disabled on docshell level.
Flags: blocking1.9.1?
Assignee: hyatt → nobody
QA Contact: ian → xbl
Not a blocking issue.
Flags: blocking1.9.1? → blocking1.9.1-
Blocks: abp
(In reply to comment #16) > FlashBlock (a Macromedia Flash content blocker) doesn't work either, and this is > in my opinion less acceptable because someone who wants to block Flash > selectively on some pages may reasonably want to prevent JavaScritp execution as > well. +1. I'm on this situation. Is there a hope to see this old bug to be solved one day?
(In reply to comment #22) > (In reply to comment #16) > > someone who wants to block Flash selectively on some pages > > may reasonably want to prevent JavaScript execution as well. > > +1. I'm on this situation. Is there a hope to see this old bug to be solved one > day? Notice that my comment #16 is obsolete, because NoScript can replace FlashBlock: http://noscript.net/features#contentblocking
Flags: wanted1.9.2?
Target Milestone: mozilla1.9alpha1 → ---
comment #16 may be obsolete, but this does still prevent me from writing a FlashBlock-style extension for controlling GIF/APNG animations and then using it alongside NoScript. (Not true blocking, of course. Just "Display only first frame unless an overlaid icon in the corner is clicked")
Blocks: 449358
No longer blocks: abp
Flags: wanted1.9.2?
Other than extensions that the user has to explicitly install, what else can load anything into chrome:// URLs? Heck, why can external pages even access chrome:// URLs? And the fact that someone has written a workaround for a popular extension doesn't mean this isn't still a bug.
> what else can load anything into chrome:// URLs? Nothing. > Heck, why can external pages even access chrome:// URLs? At this point, because the chrome package in question explicitly chose to allow that. Access is blocked by default.
(In reply to Giorgio Maone from comment #23) > Notice that my comment #16 is obsolete, because NoScript can replace > FlashBlock: http://noscript.net/features#contentblocking This bug still causes problems for users who use FlashBlock with YesScript (https://addons.mozilla.org/en-US/firefox/addon/yesscript/), since YesScript doesn't include a Flash blocker. For those who aren't familiar with it, YesScript provides a JavaScript blacklist rather than a whitelist.
PDF.js, feed subscribe pages and HTML5 audio/video keep slapping me in the face with my NoScript use and I’d like to look at fixing it ‐ How hard would this be to tackle for someone of little Firefox hacking experience? How bitrotted are comment 3 and comment 20 ?
Comment general arch proposal should still be ok. Comment 20 should be ok as well, actually. As far as how hard it is, that depends on which set of problems you're tackling. The videocontrols can just be solved by comment 20, which should not be too bad to do. Doing the entirety of comment 3 might take a bit more work. In particular, I'm not sure how PDF.js hooks itself up. The feed subscribe pages is just a recent regression, by the way. See bug 786009.
(In reply to Boris Zbarsky (:bz) from comment #29) > The feed subscribe pages is just a recent regression, by the way. See bug > 786009. Ooh, ta.
Depends on: XBL-scopes
No longer depends on: XBL-scopes
Depends on: 834697

This was fixed by bug 834697.

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.