Closed
Bug 317819
Opened 19 years ago
Closed 19 years ago
disable more javascript/DOM abilities, plugins in mail
Categories
(SeaMonkey :: UI Design, defect)
SeaMonkey
UI Design
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: ajschult784, Assigned: ajschult784)
References
(Depends on 1 open bug)
Details
(Keywords: fixed1.8)
Attachments
(2 files, 4 obsolete files)
2.85 KB,
patch
|
kairo
:
approval-seamonkey1.0+
|
Details | Diff | Splinter Review |
1.61 KB,
patch
|
dbaron
:
review+
|
Details | Diff | Splinter Review |
Among the Advanced->Scripts&Plugins prefs, only "Hide Status Bar" is disabled by default. Most of these add nothing to the user's browsing experience and are often abused by websites and/or could be used to confuse the user and make spoofing easier. Web applications sometimes use these abilities in a way that's appropriate, but their users can always re-enable them. These are all already disabled in Firefox/Thunderbird.
Assignee | ||
Comment 1•19 years ago
|
||
disables move/resize, raise/lower, mucking with the context menu and plugins in mail. I left change images and status bar text. Changing images is actually useful. I personally have changing status bar text disabled as well, but leaving it on isn't real bad and disabling it isn't all that useful because of bug 40838.
Attachment #204195 -
Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #204195 -
Flags: review?(iann_bugzilla)
Updated•19 years ago
|
Attachment #204195 -
Flags: superreview?(neil.parkwaycc.co.uk) → superreview+
Attachment #204195 -
Flags: review?(iann_bugzilla) → review+
Assignee | ||
Comment 2•19 years ago
|
||
fixed
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 3•19 years ago
|
||
oops. I guess I shouldn't be mucking with all.js when we have browser-prefs.js Also firefox doesn't actually disable the context menu like I thought.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 4•19 years ago
|
||
I had timeless back out the all.js change.
Attachment #204195 -
Attachment is obsolete: true
Attachment #204510 -
Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #204510 -
Flags: review?(neil.parkwaycc.co.uk)
Comment 5•19 years ago
|
||
Comment on attachment 204510 [details] [diff] [review] just patch browser-prefs.js You don't need two blank lines, and you shouldn't tag this block on to the end, I'd rather have the #ifdefs at the end (oops: bidi.browser.ui!)
Assignee | ||
Comment 6•19 years ago
|
||
Attachment #204510 -
Attachment is obsolete: true
Attachment #204557 -
Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #204557 -
Flags: review?(neil.parkwaycc.co.uk)
Attachment #204510 -
Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #204510 -
Flags: review?(neil.parkwaycc.co.uk)
Comment 7•19 years ago
|
||
Comment on attachment 204557 [details] [diff] [review] like so? Thanks for moving the bidi pref too.
Attachment #204557 -
Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #204557 -
Flags: superreview+
Attachment #204557 -
Flags: review?(neil.parkwaycc.co.uk)
Attachment #204557 -
Flags: review+
Comment 8•19 years ago
|
||
I know at least a dozen folks that have switched to seamonkey specifically for plugin capability, not in Mail necessarily, but in Newsgroups. Am I correct in assuming that since this checkin. http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&root=/cvsroot&subdir=mozilla/mailnews&command=DIFF_FRAMESET&root=/cvsroot&file=mailnews.js&rev1=3.256&rev2=3.257 The plugin pref will have to over-ridden again ? Crescendo, (although not currently supported)works quite well either with remote source embeds or javascript embeds to an inline src.
Assignee | ||
Comment 9•19 years ago
|
||
Yes, you'll need to override the pref. The pref shows up in the pref window under advanced->scripts&plugins. The vast majority of users shouldn't have this pref enabled. It allows attackers to send you mail with java/flash/etc embedded objects that attempt to steal personal info or at least confuse users into sending their info. Plugins also have security holes. Mail is a much easier attack vector since attackers can send the mail to victims and they are almost guaranteed to at least open it (compared with depending on victims to visit their website). All of that goes double for exactly the type of people who would be least likely to find, understand and change the pref.
Status: REOPENED → RESOLVED
Closed: 19 years ago → 19 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 10•19 years ago
|
||
I think we want this for beta. I'll pretend that 1.8.0.1 = SM1.0b
Attachment #204557 -
Attachment is obsolete: true
Attachment #204647 -
Flags: approval1.8.0.1?
Comment 11•19 years ago
|
||
I've backed out the move/resize part of this patch on trunk pending the luna tinderbox being tweaked to deal with it -- the DHTML perf test needs to be able to maximize the window.
Assignee | ||
Updated•19 years ago
|
Attachment #204647 -
Flags: approval1.8.0.1? → approval-seamonkey1.0?
Comment 12•19 years ago
|
||
Comment on attachment 204647 [details] [diff] [review] patch for branch Does the branch have similar issues to trunk wrt DHTML perf tests?
Comment 13•19 years ago
|
||
Comment on attachment 204647 [details] [diff] [review] patch for branch hmm, I'm actually not glad with breaking Tdhtml tests by default as we have them running on our branch tinderboxen... The rest looks fine to me for branch though...
Comment 14•19 years ago
|
||
Comment on attachment 204647 [details] [diff] [review] patch for branch hmm, I'm actually not glad with breaking Tdhtml tests by default as we have them running on our branch tinderboxen... The rest looks fine to me for branch though...
Comment 15•19 years ago
|
||
I'm not really looking at branch Tdhtml, so I'm ok with this happening on branch. There should be no changes there that affect Tdhtml anyway. ;)
Assignee | ||
Comment 16•19 years ago
|
||
> hmm, I'm actually not glad with breaking Tdhtml tests by default as we have > them running on our branch tinderboxen... We can still see regressions, the baseline will just be too low. or you can fix it on the server: add set_pref($pref_file, 'dom.disable_window_flip', 'false'); here: http://lxr.mozilla.org/mozilla/source/tools/tinderbox/build-seamonkey-util.pl#1742
Comment 17•19 years ago
|
||
Comment on attachment 204647 [details] [diff] [review] patch for branch ok, a=me as long as we get the set_pref change made for branch
Comment 18•19 years ago
|
||
Chase just made this change on luna; I've relanded on trunk the part of the patch for this bug that I had backed out.
Attachment #205436 -
Flags: review?(dbaron)
Comment 19•19 years ago
|
||
Attachment #205436 -
Attachment is obsolete: true
Attachment #205437 -
Flags: review?(dbaron)
Attachment #205436 -
Flags: review?(dbaron)
Comment 20•19 years ago
|
||
Comment on attachment 204647 [details] [diff] [review] patch for branch ok, get it in - my branch tinderboxen have the fix now - we should still try to get it into tinderbox tree though
Attachment #204647 -
Flags: approval-seamonkey1.0? → approval-seamonkey1.0+
Keywords: fixed1.8
Attachment #205437 -
Flags: review?(dbaron) → review+
Comment on attachment 205437 [details] [diff] [review] Er, _this_ is the change Chase made I checked this in to the trunk.
You need to log in
before you can comment on or make changes to this bug.
Description
•