Closed Bug 320522 Opened 19 years ago Closed 11 years ago

Allow whitelist of javascript by site

Categories

(Firefox :: Security, enhancement)

Product:
Firefox
Component:
Security
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: guninski, Unassigned)

References

Details

imho the noscript extension - 
https://addons.mozilla.org/extensions/moreinfo.php?application=firefox&id=722
provides very nice funcionality of whitelisting javascript/plugins to
specific domains/sites.

having in mind its popularity on addons.mozilla.org (second place at the
moment,  234 641 donwloads) a lot of ff users are interested in its
functionality.

is it possible including it (or its functionality) in official firefox?

this may have the advantage of preventing javascript exploits while keeping
the functionality of "trusted" sites.

the noscript extensions is under GPL according to its licence, but couldn't
find its source.

iirc the noscript functionality may be achieved via preferences, so only a
front end is needed (may be wrong on this).
Personally I think Firefox is not unsafe enough to justify this discomfort of disabling JavaScript by default.
In the rare case (once in about two weeks) that I want to disable JavaScript I prefer a simple button on my toolbar (extension Prefbuttons). :)

I prefer to have JS disabled and enable it on demand. especially the feature "allow temporary" is very useful. If i check some sites i do not need to meddle with the white or black list. I will vote for it if it comes to a real discussion about adding it. But i can stay with the extension as well.
it is not only question about javascript, noscript disables also plugins.

plugins may be dangerous IMHO.

(In reply to comment #3)

> plugins may be dangerous IMHO.
>
One should update plugins in time. Use the last Java version, the last RealPlayer, the last WMP and of course the last Windows updates (if you're using Windows). Then you'll be perfectly safe (till the next update) if you're also using Firefox.  


Surely with all the new cool stuff firefox has (SVG, canvas, etc) the use of javascript is likely to increase. Completely disabling it by default would probably result in many 'waaa firefox sucks it doesn't work' threads/bug reports/irc whinging/etc.
(In reply to comment #5)
> Completely disabling it by default would probably result in many
> 'waaa firefox sucks it doesn't work' threads/bug reports

Not necessarily, if it were coupled with visible UI, like a scammy-site detector, it might work. Run JS for trusted sites (user defined), don't run for unknown sites instead show an infobar that lets users turn it on (temporarily or add site to 'good' list), and don't run and don't show the infobar for bad sites. Let users set the default behavior to "run" for the middle class.

But then you have to build in an evil-site detector/service.
I think the evil sites detector must be in the peoples heads. Everyone with common sense knows that owners of cracks, warez and cheap movies sites don't do this work for free.
And the JavaScript there is one of the least things to worry. Most download links also work with disabled JavaScript. If you're lucky, your virusscanner knows the trojans inside the downloaded cracks and movies and can eliminate them.
So in these cases no-script can even give a false feeling of security.

 
noscript has configurable user interface (similar to plugins, but with auto hide option).

it may generate bugspam from lusers, but this may be prevented by making it off by default.

for me over 99% of the web *i* browse is completely usable without javascript (the exceptions being js games and lame webmail) - of course i am not a representative statistical sample.

imho the noscript should be targeted at "power users" or above and at paranoids - its popularity on addons shows there is demand for such functionality.

noscript offers the following advantage - if by any chance a not yet patched javascript exploits appears, users may be advised to use the noscript extension temporary (disabling js cuts more functionality).
*** Bug 326416 has been marked as a duplicate of this bug. ***
Having the ability to disable javascript with some exceptions does not mean leaving javascript disabled by default. Just leave javascript enabled by default and nobody will complain.

Also, this is not related only to security. For instance, some sites seem to be using javascript to pop-up ads even with pop-ups disabled. One might want to disable javascript in order to ignore all useless appendages to some site, and experience faster, lighter browsing.
OS: Linux → All
Hardware: PC → All
Summary: noscript extension → Allow whitelist of javascript/plugins by site
*** Bug 347928 has been marked as a duplicate of this bug. ***
I vote this to be in the Version => Unspecified category, because I would like to see this in the 2.0 Branch.  Really all I want is this:

Right now, users are only able to turn Java/Javascript on or off
completely.  It would be nice to have Java/Javascript managed like cookies,
pop-ups, and images are currently.  Then, users could turn Java/Javascript on
or off globally, and specify sites they want to make exceptions for.  

Then, what would be a "nice-to-have" would be if specific Javascript features could be managed in this same way, but this is just a "nice-to-have" :-).  

I've asked on Mozillazine here => http://forums.mozillazine.org/viewtopic.php?p=2419927&sid=87af58ee7e52f57d4e45532fb87099a2

I was told that there was already a way to whitelist/blacklist Java/Javascript by editing prefs.js or about:config, but, yes, I would like to see a decent UI implemented in Firefox Preferences to manage these rules by the time Firefox 2 is released.

duping to bug 38966, but bug 94035 ("BlockFlash") is conceptually similar and has more votes.

*** This bug has been marked as a duplicate of 38966 ***
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Not a dup of a SeaMonkey bug.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Assignee: dveditz → nobody
I have used the 'zones' feature in IE to accomplish this. very powerful feature. unfortunately, MS has decided to remove zone info from the status bar, and now its several key-presses and clicks away.

if you do implement this feature, i'll be switching to firefox, it was my main reason for using IE, other than GPO support.
JavsScript should be enabled by default, then the user can disable it and control it on per-site basis through 'Page Info > Permissions Tab' just like you control Cookies, Plugins, Images...etc. would be nice indeed.

This is very important.
We're not going to address this use case in Firefox proper, you can use NoScript or add-ons like it.
Status: REOPENED → RESOLVED
Closed: 18 years ago11 years ago
Resolution: --- → WONTFIX
Well, we're doing it for plugins (see e.g. bug 880735), but not for JavaScript.
Summary: Allow whitelist of javascript/plugins by site → Allow whitelist of javascript by site

This issue is still valid, but in a bit different sense. I have opened 1553791.

You need to log in before you can comment on or make changes to this bug.