If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Default CAPS policy should treat news separate from mail



12 years ago
9 years ago


(Reporter: JoeS1, Unassigned)


Firefox Tracking Flags

(Not tracked)



(1 attachment)



12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20060315 SeaMonkey/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20060315 SeaMonkey/1.0

The default CAPS policy lumps mail and news together. They have very different security needs. This separates the prefs so that a user.js file can address specific needs.

Reproducible: Always

Steps to Reproduce:
1.Attempt to create a user.js file to over-ride a specific javascript function in news. The only possibility is the Mailnews default policy.

Actual Results:  
Since the default policy pertains to Mail as well as News, the policy applies to both mail and news. It would be nice if we could be more selective here.

Expected Results:  
The ability to create policies that pertain to mail and news as separate entities. 

Should be modified to address mail and news separately.

Comment 1

12 years ago
Created attachment 216265 [details]
Separate default policies

Caps greprefs all.js
Comment on attachment 216265 [details]
Separate default policies

application/javascript is registered now, but for an attachment in a bug, you generally want text/plain.

Attachment #216265 - Attachment mime type: application/x-javascript → text/plain
Comment on attachment 216265 [details]
Separate default policies

A diff (attached as a patch) would be even better, though.

What should we look for in you attachment ?
Severity: normal → enhancement
Version: unspecified → SeaMonkey 1.0 Branch

Comment 5

10 years ago
Newsgroups have always been a stepchild to mail security policies.
While many of the javascript restrictions might have been warranted for mail,
they were also applied to newsgroups by the fact that those restrictions were
applied as a common mailnews policy.
The attachment was meant to show how policies could be separated for mail and news in the basic greprefs.

Since the time that I filed this bug, I looked further into CAPS policies and found that individual newsgroups security levels could be modified by using a user.js file like the following:

user_pref("capability.policy.policynames", "jsok");
user_pref("capability.policy.default.javascript.enabled", "noAccess");
user_pref("capability.policy.jsok.sites", "news://news.mozilla.org:119 news://secnews.netscape.com:563 ");
user_pref("capability.policy.jsok.javascript.enabled", "allAccess");
pref("capability.policy.jsok.*.data.get", "allAccess"); ///allows rainbow script to work
pref("capability.policy.jsok.*.href.get", "allAccess"); ///needed for Joji's Embed (only for recent builds)
pref("capability.policy.jsok.*.src.get", "allAccess");  ///image source access by scripts
pref("capabilty.policy.jsok.dom.disable_window_status_change",          false); ///allow ticker
pref("capability.policy.jsok.*.title.get", "allAccess");
pref("capability.policy.jsok.Location.toString", "allAccess");

The above should enable, and extend javascript capability for the named newsgroups.

But I think the average user, would have no clue as to how to apply such a policy. And the end result is that Gecko mailnews clients are considered "incapable" on these extended features.

Bottom line is, that thunderbird and seamonkey should provide an easier way for
the average user to control their desired level of security, and not have that
decision decided for them.
Assignee: dveditz → nobody
Component: Security → Preferences
OS: Windows XP → All
QA Contact: seamonkey → prefs
Hardware: PC → All
Version: SeaMonkey 1.0 Branch → unspecified
You need to log in before you can comment on or make changes to this bug.