Closed
Bug 329755
Opened 18 years ago
Closed 11 years ago
make javascript.enabled=false in thunderbird
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: guninski, Unassigned)
References
Details
(Keywords: sec-other, Whiteboard: [sg:nse] [wontfix?])
Attachments
(1 file)
|
799 bytes,
patch
|
Bienvenu
:
review+
dveditz
:
approval1.8.0.7-
|
Details | Diff | Splinter Review |
make javascript.enabled=false in thunderbird javascript in thunderbird pops from unexpected contexts, leading to not quite pleasant side effects. setting javascript.enabled=false may limit the side effects. some limited testing shows that thunderbird seems to work fine with javascript.enabled=false note that this preference applies to the "browser part" of the bird, which should not be hit from luserland.
|
||
Updated•18 years ago
|
Target Milestone: --- → Thunderbird2.0
|
||
Comment 1•18 years ago
|
||
Scott, there shouldn't be any problems with this, right?
Status: NEW → ASSIGNED
Flags: blocking-thunderbird2?
I thought we already defaulted JS to off in tbird?
|
||
Comment 3•18 years ago
|
||
javascript.allow.mailnews is what's false by default, and what controls js in mail for the most part. So this applies to js that's not in mail messages? I'm happy to try running with this off...but if the user decides they want to enable js in mail, do they need to enable both prefs, in which case, we'd need to tweak our UI, perhaps.
|
|
||
Comment 4•18 years ago
|
||
Would have to be more than just the default pref since there's no UI for it, but let's see if we can swing this.
Flags: blocking1.8.0.7+
|
Reporter | |
Comment 5•18 years ago
|
||
(In reply to comment #3) >...but if the user decides they want to enable js in mail, do they > need to enable both prefs, in which case, we'd need to tweak our UI, perhaps. > i heard the incorporated comrades from sun microsystems(tm)(inc) had some disagreement with the fr3nch military over active content in 00 d0cum3nts.
|
|
||
Comment 6•18 years ago
|
||
In a docshell of APP_TYPE_MAIL the mailnews javascript pref will win, this will only affect non-mailnews docshells. Thunderbird shouldn't have any of those, right? What about lightning? does it need to run non-chrome content javascript? I'd hope not. This approach doesn't help seamonkey mailnews.
Attachment #235080 -
Flags: review?(bienvenu)
Attachment #235080 -
Flags: approval1.8.0.7?
|
|
||
Comment 7•18 years ago
|
||
Comment on attachment 235080 [details] [diff] [review] turn off global javascript pref I don't think the compose window is of type app mail. We should verify that js in mail still works if the user turns it on. I agree that the code looks right... At some point, TB might want to do stuff that requires js in a doc shell, but I think we can turn on javascript on a per doc shell basis.
Attachment #235080 -
Flags: review?(bienvenu) → review+
|
|
||
Comment 8•18 years ago
|
||
Composer is not app-mail, but it also has JS explicitly disabled. I meant, Thunderbird doesn't have any non-mail content docshells in which it expects scripts to execute, right? But extensions might be an exception to that. I don't think you could turn it on per docshell. We check a bunch of stuff (caps, docshell setting), and if any one of them says "no script" that's the end of it.
|
|
||
Comment 9•18 years ago
|
||
I don't know about extensions - this change worries me somewhat since we don't know if it breaks anything, and we're not giving the user any nice UI to undo it...it's a nice safety net when other things are broken, however.
|
|
||
Comment 10•18 years ago
|
||
We may come back and change our mind, but we think we have bug 346984 solved another way, and turning this off blocks what a legitimate extension can do. Plus, this isn't an approach we can take to secure SeaMonkey, so we do need to solve bug 346984 in another way ultimately anyway.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Flags: blocking1.8.0.7+ → blocking1.8.0.7-
Resolution: --- → WONTFIX
|
|
||
Comment 11•18 years ago
|
||
Comment on attachment 235080 [details] [diff] [review] turn off global javascript pref not for now, will keep it in mind as an emergency back-up plan.
Attachment #235080 -
Flags: approval1.8.0.7? → approval1.8.0.7-
|
|
||
Comment 12•18 years ago
|
||
clearing the approval request
Flags: blocking-thunderbird2? → blocking-thunderbird2-
|
|
||
Comment 13•18 years ago
|
||
This might be worth doing on the trunk as an extra safety backup, and to see if any extensions actually do rely on this feature over the next year or so before a 1.9-based thunderbird is shipped.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
|
|
Reporter | |
Comment 14•17 years ago
|
||
i'd appreciate an example where this option breaks something not counting extensions
|
||
Comment 16•16 years ago
|
||
If we want to go with this on trunk, sooner is probably better than later...
Flags: wanted-thunderbird3?
Target Milestone: Thunderbird2.0 → ---
|
|
||
Comment 17•16 years ago
|
||
Though seamonkey wouldn't be able to benefit from that right? Which would seem to make this a bit pointless.
|
||
Comment 18•16 years ago
|
||
Scott was working on something related in bug 374577, not sure if that would affect a decision on this.
|
|
Reporter | |
Comment 19•16 years ago
|
||
>Though seamonkey wouldn't be able to benefit from that right? Which would seem
>to make this a bit pointless.
seamonkey aside, this will decrease the number of bugs in thunderbird, regression chances are very small imo|
|
||
Updated•16 years ago
|
Assignee: dveditz → nobody
|
|
||
Updated•16 years ago
|
Flags: wanted-thunderbird3?
|
|
||
Updated•16 years ago
|
Whiteboard: [sg:nse] → [sg:nse] [wontfix?]
|
||
Comment 20•14 years ago
|
||
To keep this discussion alive...
... wouldn't it be the right time now to give TB's UI an option for enabling/disabling Javascript so that the user can decide what he wants ?
I did some test with RSS feeds ("website view" instead of "summary"): Some RSS articles include Javascript. This was the starting point for me to think about why there's no option in TB's UI to deactivate JS.
Maybe I am little bit spoiled from Firefox, where such options are available in its UI...
|
|
||
Comment 21•11 years ago
|
||
(In reply to dfghjkjhg from comment #20) > Maybe I am little bit spoiled from Firefox, where such options are available > in its UI... Firefox removed theirs too. I think given how broken web pages with js turned off are nowadays, disabling it isn't really an option as long as we want to display web pages somewhere inside the app. ->WONTFIX
Status: REOPENED → RESOLVED
Closed: 18 years ago → 11 years ago
Resolution: --- → WONTFIX
|
||
Comment 23•7 years ago
|
||
hi, any fix coming for this? Using SeaMonkey, and every time i reply to an email containing an image, i get a script error, and then seamonkey freezes and i have to restart. thx
|
||
Comment 24•7 years ago
|
||
(In reply to johny why from comment #23) > hi, any fix coming for this? Using SeaMonkey, and every time i reply to an > email containing an image, i get a script error, and then seamonkey freezes > and i have to restart. thx Your issue is unlikely to be related to this bug. You should seek help at one of the forum or newsgroup site mentioned in the links found at https://www.seamonkey-project.org/doc/
You need to log in
before you can comment on or make changes to this bug.
Description
•