Closed Bug 317819 Opened 19 years ago Closed 19 years ago

disable more javascript/DOM abilities, plugins in mail

Categories

(SeaMonkey :: UI Design, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: ajschult784, Assigned: ajschult784)

References

(Depends on 1 open bug)

Details

(Keywords: fixed1.8)

Attachments

(2 files, 4 obsolete files)

Among the Advanced->Scripts&Plugins prefs, only "Hide Status Bar" is disabled by default.  Most of these add nothing to the user's browsing experience and are often abused by websites and/or could be used to confuse the user and make spoofing easier.  Web applications sometimes use these abilities in a way that's appropriate, but their users can always re-enable them.

These are all already disabled in Firefox/Thunderbird.
Attached patch patch (obsolete) — Splinter Review
disables move/resize, raise/lower, mucking with the context menu and plugins in mail.

I left change images and status bar text.  Changing images is actually useful.  I personally have changing status bar text disabled as well, but leaving it on isn't real bad and disabling it isn't all that useful because of bug 40838.
Attachment #204195 - Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #204195 - Flags: review?(iann_bugzilla)
Attachment #204195 - Flags: superreview?(neil.parkwaycc.co.uk) → superreview+
Attachment #204195 - Flags: review?(iann_bugzilla) → review+
fixed
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
oops.  I guess I shouldn't be mucking with all.js when we have browser-prefs.js

Also firefox doesn't actually disable the context menu like I thought.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attached patch just patch browser-prefs.js (obsolete) — Splinter Review
I had timeless back out the all.js change.
Attachment #204195 - Attachment is obsolete: true
Attachment #204510 - Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #204510 - Flags: review?(neil.parkwaycc.co.uk)
Comment on attachment 204510 [details] [diff] [review]
just patch browser-prefs.js

You don't need two blank lines, and you shouldn't tag this block on to the end, I'd rather have the #ifdefs at the end (oops: bidi.browser.ui!)
Attached patch like so? (obsolete) — Splinter Review
Attachment #204510 - Attachment is obsolete: true
Attachment #204557 - Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #204557 - Flags: review?(neil.parkwaycc.co.uk)
Attachment #204510 - Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #204510 - Flags: review?(neil.parkwaycc.co.uk)
Comment on attachment 204557 [details] [diff] [review]
like so?

Thanks for moving the bidi pref too.
Attachment #204557 - Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #204557 - Flags: superreview+
Attachment #204557 - Flags: review?(neil.parkwaycc.co.uk)
Attachment #204557 - Flags: review+
I know at least a dozen folks that have switched to seamonkey specifically for plugin capability, not in Mail necessarily, but in Newsgroups.
Am I correct in assuming that since this checkin.
http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&root=/cvsroot&subdir=mozilla/mailnews&command=DIFF_FRAMESET&root=/cvsroot&file=mailnews.js&rev1=3.256&rev2=3.257
The plugin pref will have to over-ridden again ?
Crescendo, (although not currently supported)works quite well either with remote source embeds or javascript embeds to an inline src.
 
Yes, you'll need to override the pref.  The pref shows up in the pref window under advanced->scripts&plugins.

The vast majority of users shouldn't have this pref enabled.  It allows attackers to send you mail with java/flash/etc embedded objects that attempt to steal personal info or at least confuse users into sending their info.  Plugins also have security holes.

Mail is a much easier attack vector since attackers can send the mail to victims and they are almost guaranteed to at least open it (compared with depending on victims to visit their website).

All of that goes double for exactly the type of people who would be least likely to find, understand and change the pref.
Status: REOPENED → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → FIXED
Attached patch patch for branchSplinter Review
I think we want this for beta.  I'll pretend that 1.8.0.1 = SM1.0b
Attachment #204557 - Attachment is obsolete: true
Attachment #204647 - Flags: approval1.8.0.1?
I've backed out the move/resize part of this patch on trunk pending the luna tinderbox being tweaked to deal with it -- the DHTML perf test needs to be able to maximize the window.
Attachment #204647 - Flags: approval1.8.0.1? → approval-seamonkey1.0?
Comment on attachment 204647 [details] [diff] [review]
patch for branch

Does the branch have similar issues to trunk wrt  DHTML perf tests?
Comment on attachment 204647 [details] [diff] [review]
patch for branch

hmm, I'm actually not glad with breaking Tdhtml tests by default as we have them running on our branch tinderboxen... The rest looks fine to me for branch though...
Comment on attachment 204647 [details] [diff] [review]
patch for branch

hmm, I'm actually not glad with breaking Tdhtml tests by default as we have them running on our branch tinderboxen... The rest looks fine to me for branch though...
I'm not really looking at branch Tdhtml, so I'm ok with this happening on branch.  There should be no changes there that affect Tdhtml anyway.  ;)
> hmm, I'm actually not glad with breaking Tdhtml tests by default as we have
> them running on our branch tinderboxen...

We can still see regressions, the baseline will just be too low.

or you can fix it on the server:
add
set_pref($pref_file, 'dom.disable_window_flip', 'false');
here:
http://lxr.mozilla.org/mozilla/source/tools/tinderbox/build-seamonkey-util.pl#1742
Comment on attachment 204647 [details] [diff] [review]
patch for branch

ok, a=me as long as we get the set_pref change made for branch
Chase just made this change on luna; I've relanded on trunk the part of the patch for this bug that I had backed out.
Attachment #205436 - Flags: review?(dbaron)
Attachment #205436 - Attachment is obsolete: true
Attachment #205437 - Flags: review?(dbaron)
Attachment #205436 - Flags: review?(dbaron)
Comment on attachment 204647 [details] [diff] [review]
patch for branch

ok, get it in - my branch tinderboxen have the fix now - we should still try to get it into tinderbox tree though
Attachment #204647 - Flags: approval-seamonkey1.0? → approval-seamonkey1.0+
Comment on attachment 205437 [details] [diff] [review]
Er, _this_ is the change Chase made

I checked this in to the trunk.
Depends on: 349121
Component: XP Apps: GUI Features → UI Design
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: