disable more javascript/DOM abilities, plugins in mail

RESOLVED FIXED

Status

SeaMonkey
UI Design
RESOLVED FIXED
12 years ago
9 years ago

People

(Reporter: Andrew Schultz, Assigned: Andrew Schultz)

Tracking

(Depends on: 1 bug, {fixed1.8})

Trunk
fixed1.8

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments, 4 obsolete attachments)

(Assignee)

Description

12 years ago
Among the Advanced->Scripts&Plugins prefs, only "Hide Status Bar" is disabled by default.  Most of these add nothing to the user's browsing experience and are often abused by websites and/or could be used to confuse the user and make spoofing easier.  Web applications sometimes use these abilities in a way that's appropriate, but their users can always re-enable them.

These are all already disabled in Firefox/Thunderbird.
(Assignee)

Comment 1

12 years ago
Created attachment 204195 [details] [diff] [review]
patch

disables move/resize, raise/lower, mucking with the context menu and plugins in mail.

I left change images and status bar text.  Changing images is actually useful.  I personally have changing status bar text disabled as well, but leaving it on isn't real bad and disabling it isn't all that useful because of bug 40838.
Attachment #204195 - Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #204195 - Flags: review?(iann_bugzilla)

Updated

12 years ago
Attachment #204195 - Flags: superreview?(neil.parkwaycc.co.uk) → superreview+

Updated

12 years ago
Attachment #204195 - Flags: review?(iann_bugzilla) → review+
(Assignee)

Comment 2

12 years ago
fixed
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
(Assignee)

Comment 3

12 years ago
oops.  I guess I shouldn't be mucking with all.js when we have browser-prefs.js

Also firefox doesn't actually disable the context menu like I thought.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Assignee)

Comment 4

12 years ago
Created attachment 204510 [details] [diff] [review]
just patch browser-prefs.js

I had timeless back out the all.js change.
Attachment #204195 - Attachment is obsolete: true
Attachment #204510 - Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #204510 - Flags: review?(neil.parkwaycc.co.uk)

Comment 5

12 years ago
Comment on attachment 204510 [details] [diff] [review]
just patch browser-prefs.js

You don't need two blank lines, and you shouldn't tag this block on to the end, I'd rather have the #ifdefs at the end (oops: bidi.browser.ui!)
(Assignee)

Comment 6

12 years ago
Created attachment 204557 [details] [diff] [review]
like so?
Attachment #204510 - Attachment is obsolete: true
Attachment #204557 - Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #204557 - Flags: review?(neil.parkwaycc.co.uk)
Attachment #204510 - Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #204510 - Flags: review?(neil.parkwaycc.co.uk)

Comment 7

12 years ago
Comment on attachment 204557 [details] [diff] [review]
like so?

Thanks for moving the bidi pref too.
Attachment #204557 - Flags: superreview?(neil.parkwaycc.co.uk)
Attachment #204557 - Flags: superreview+
Attachment #204557 - Flags: review?(neil.parkwaycc.co.uk)
Attachment #204557 - Flags: review+

Comment 8

12 years ago
I know at least a dozen folks that have switched to seamonkey specifically for plugin capability, not in Mail necessarily, but in Newsgroups.
Am I correct in assuming that since this checkin.
http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&root=/cvsroot&subdir=mozilla/mailnews&command=DIFF_FRAMESET&root=/cvsroot&file=mailnews.js&rev1=3.256&rev2=3.257
The plugin pref will have to over-ridden again ?
Crescendo, (although not currently supported)works quite well either with remote source embeds or javascript embeds to an inline src.
 
(Assignee)

Comment 9

12 years ago
Yes, you'll need to override the pref.  The pref shows up in the pref window under advanced->scripts&plugins.

The vast majority of users shouldn't have this pref enabled.  It allows attackers to send you mail with java/flash/etc embedded objects that attempt to steal personal info or at least confuse users into sending their info.  Plugins also have security holes.

Mail is a much easier attack vector since attackers can send the mail to victims and they are almost guaranteed to at least open it (compared with depending on victims to visit their website).

All of that goes double for exactly the type of people who would be least likely to find, understand and change the pref.
Status: REOPENED → RESOLVED
Last Resolved: 12 years ago12 years ago
Resolution: --- → FIXED
(Assignee)

Comment 10

12 years ago
Created attachment 204647 [details] [diff] [review]
patch for branch

I think we want this for beta.  I'll pretend that 1.8.0.1 = SM1.0b
Attachment #204557 - Attachment is obsolete: true
Attachment #204647 - Flags: approval1.8.0.1?
I've backed out the move/resize part of this patch on trunk pending the luna tinderbox being tweaked to deal with it -- the DHTML perf test needs to be able to maximize the window.
(Assignee)

Updated

12 years ago
Attachment #204647 - Flags: approval1.8.0.1? → approval-seamonkey1.0?

Comment 12

12 years ago
Comment on attachment 204647 [details] [diff] [review]
patch for branch

Does the branch have similar issues to trunk wrt  DHTML perf tests?

Comment 13

12 years ago
Comment on attachment 204647 [details] [diff] [review]
patch for branch

hmm, I'm actually not glad with breaking Tdhtml tests by default as we have them running on our branch tinderboxen... The rest looks fine to me for branch though...

Comment 14

12 years ago
Comment on attachment 204647 [details] [diff] [review]
patch for branch

hmm, I'm actually not glad with breaking Tdhtml tests by default as we have them running on our branch tinderboxen... The rest looks fine to me for branch though...
I'm not really looking at branch Tdhtml, so I'm ok with this happening on branch.  There should be no changes there that affect Tdhtml anyway.  ;)
(Assignee)

Comment 16

12 years ago
> hmm, I'm actually not glad with breaking Tdhtml tests by default as we have
> them running on our branch tinderboxen...

We can still see regressions, the baseline will just be too low.

or you can fix it on the server:
add
set_pref($pref_file, 'dom.disable_window_flip', 'false');
here:
http://lxr.mozilla.org/mozilla/source/tools/tinderbox/build-seamonkey-util.pl#1742

Comment 17

12 years ago
Comment on attachment 204647 [details] [diff] [review]
patch for branch

ok, a=me as long as we get the set_pref change made for branch
Created attachment 205436 [details] [diff] [review]
Make that change to the tinderbox config

Chase just made this change on luna; I've relanded on trunk the part of the patch for this bug that I had backed out.
Attachment #205436 - Flags: review?(dbaron)
Created attachment 205437 [details] [diff] [review]
Er, _this_ is the change Chase made
Attachment #205436 - Attachment is obsolete: true
Attachment #205437 - Flags: review?(dbaron)
Attachment #205436 - Flags: review?(dbaron)

Comment 20

12 years ago
Comment on attachment 204647 [details] [diff] [review]
patch for branch

ok, get it in - my branch tinderboxen have the fix now - we should still try to get it into tinderbox tree though
Attachment #204647 - Flags: approval-seamonkey1.0? → approval-seamonkey1.0+
Keywords: fixed1.8
Attachment #205437 - Flags: review?(dbaron) → review+
Comment on attachment 205437 [details] [diff] [review]
Er, _this_ is the change Chase made

I checked this in to the trunk.

Updated

11 years ago
Depends on: 349121

Updated

9 years ago
Component: XP Apps: GUI Features → UI Design
You need to log in before you can comment on or make changes to this bug.