Closed Bug 329755 Opened 17 years ago Closed 9 years ago

make javascript.enabled=false in thunderbird

Categories

(Thunderbird :: Security, defect)

x86
Linux
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: guninski, Unassigned)

References

Details

(Keywords: sec-other, Whiteboard: [sg:nse] [wontfix?])

Attachments

(1 file)

make javascript.enabled=false in thunderbird

javascript in thunderbird pops from unexpected contexts, leading to not
quite pleasant side effects.

setting javascript.enabled=false may limit the side effects.

some limited testing shows that thunderbird seems to work fine with
javascript.enabled=false

note that this preference applies to the "browser part" of the bird, which
should not be hit from luserland.
Target Milestone: --- → Thunderbird2.0
Scott, there shouldn't be any problems with this, right?
Status: NEW → ASSIGNED
Flags: blocking-thunderbird2?
I thought we already defaulted JS to off in tbird?
javascript.allow.mailnews is what's false by default, and what controls js in mail for the most part.

So this applies to js that's not in mail messages? I'm happy to try running with this off...but if the user decides they want to enable js in mail, do they need to enable both prefs, in which case, we'd need to tweak our UI, perhaps.
Would have to be more than just the default pref since there's no UI for it, but let's see if we can swing this.
Flags: blocking1.8.0.7+
Blocks: 346984
(In reply to comment #3)
>...but if the user decides they want to enable js in mail, do they
> need to enable both prefs, in which case, we'd need to tweak our UI, perhaps.
> 

i heard the incorporated comrades from sun microsystems(tm)(inc) had some disagreement with the fr3nch military over active content in 00 d0cum3nts.

In a docshell of APP_TYPE_MAIL the mailnews javascript pref will win, this will only affect non-mailnews docshells. Thunderbird shouldn't have any of those, right?

What about lightning? does it need to run non-chrome content javascript? I'd hope not.

This approach doesn't help seamonkey mailnews.
Attachment #235080 - Flags: review?(bienvenu)
Attachment #235080 - Flags: approval1.8.0.7?
Comment on attachment 235080 [details] [diff] [review]
turn off global javascript pref

I don't think the compose window is of type app mail.

We should verify that js in mail still works if the user turns it on. I agree that the code looks right...

At some point, TB might want to do stuff that requires js in a doc shell, but I think we can turn on javascript on a per doc shell basis.
Attachment #235080 - Flags: review?(bienvenu) → review+
Composer is not app-mail, but it also has JS explicitly disabled. I meant, Thunderbird doesn't have any non-mail content docshells in which it expects scripts to execute, right? But extensions might be an exception to that.

I don't think you could turn it on per docshell. We check a bunch of stuff (caps, docshell setting), and if any one of them says "no script" that's the end of it.
I don't know about extensions - this change worries me somewhat since we don't know if it breaks anything, and we're not giving the user any nice UI to undo it...it's a nice safety net when other things are broken, however.
We may come back and change our mind, but we think we have bug 346984 solved another way, and turning this off blocks what a legitimate extension can do. Plus, this isn't an approach we can take to secure SeaMonkey, so we do need to solve bug 346984 in another way ultimately anyway.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Flags: blocking1.8.0.7+ → blocking1.8.0.7-
Resolution: --- → WONTFIX
Comment on attachment 235080 [details] [diff] [review]
turn off global javascript pref

not for now, will keep it in mind as an emergency back-up plan.
Attachment #235080 - Flags: approval1.8.0.7? → approval1.8.0.7-
clearing the approval request
Flags: blocking-thunderbird2? → blocking-thunderbird2-
This might be worth doing on the trunk as an extra safety backup, and to see if any extensions actually do rely on this feature over the next year or so before a 1.9-based thunderbird is shipped.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
i'd appreciate an example where this option breaks something not counting extensions
[sg:nse]
Whiteboard: [sg:nse]
If we want to go with this on trunk, sooner is probably better than later...
Flags: wanted-thunderbird3?
Target Milestone: Thunderbird2.0 → ---
Though seamonkey wouldn't be able to benefit from that right? Which would seem to make this a bit pointless.
Scott was working on something related in bug 374577, not sure if that would affect a decision on this.
>Though seamonkey wouldn't be able to benefit from that right? Which would seem
>to make this a bit pointless.

seamonkey aside, this will decrease the number of bugs in thunderbird, regression chances are very small imo
Assignee: dveditz → nobody
Flags: wanted-thunderbird3?
Whiteboard: [sg:nse] → [sg:nse] [wontfix?]
To keep this discussion alive...
... wouldn't it be the right time now to give TB's UI an option for enabling/disabling Javascript so that the user can decide what he wants ?
I did some test with RSS feeds ("website view" instead of "summary"): Some RSS articles include Javascript. This was the starting point for me to think about why there's no option in  TB's UI to deactivate JS.
Maybe I am little bit spoiled from Firefox, where such options are available in its UI...
(In reply to dfghjkjhg from comment #20)
> Maybe I am little bit spoiled from Firefox, where such options are available
> in its UI...

Firefox removed theirs too.

I think given how broken web pages with js turned off are nowadays, disabling it isn't really an option as long as we want to display web pages somewhere inside the app.

->WONTFIX
Status: REOPENED → RESOLVED
Closed: 16 years ago9 years ago
Resolution: --- → WONTFIX
Duplicate of this bug: 567138
hi, any fix coming for this? Using SeaMonkey, and every time i reply to an email containing an image, i get a script error, and then seamonkey freezes and i have to restart. thx
(In reply to johny why from comment #23)
> hi, any fix coming for this? Using SeaMonkey, and every time i reply to an
> email containing an image, i get a script error, and then seamonkey freezes
> and i have to restart. thx

Your issue is unlikely to be related to this bug.  

You should seek help at one of the forum or newsgroup site mentioned in the links found at https://www.seamonkey-project.org/doc/
You need to log in before you can comment on or make changes to this bug.