Closed
Bug 336404
Opened 20 years ago
Closed 15 years ago
add option to forbid scripts to use AJAX/XMLHttp
Categories
(Firefox :: General, enhancement)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: buchner.johannes, Unassigned)
Details
(Whiteboard: [CLOSEME 2010-11-01])
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060502 Minefield/3.0a1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060502 Minefield/3.0a1
Please add a option "Allow AJAX/XMLHttp" in "Advanced Javascript Settings".
It would be great if one was able to choose if Javascript is allowed to connect to the server on a site. At the moment JS can do what it wants (connect, send, ... to wherever, whatever). It can gain user input and send information, or at least if the user is still on the site.
By disabling the XMLHttp option, more security and control over the website can be gained. JS can't do strange things in the background anymore, except by using an iframe, which could be also prevented: Changing the URL of a iframe by JS.
In my opinion, the user should be able to choose if the website is allowed to send information.
Reproducible: Always
|
||
Comment 1•20 years ago
|
||
> In my opinion, the user should be able to choose if the website is allowed to
> send information.
I don't think you can really accomplish that except by disabling JavaScript. You'd have to disable a huge number of things (ajax, creating iframes, creating images, etc) and you'd end up breaking almost as many sites as you would by disabling JavaScript (maybe even more sites than by disabling JavaScript).
|
Reporter | |
Comment 2•19 years ago
|
||
WONTFIX then?
|
||
Comment 3•17 years ago
|
||
(In reply to comment #2)
> WONTFIX then?
2 years later, CC-ing module owners for Firefox & Javascript.
|
||
Comment 4•15 years ago
|
||
This is a mass search for bugs which are in the Firefox General component, are
UNCO, have not been changed for 500 days and have an unspecified version.
Reporter, can you please update to Firefox 3.6.10 or later, create a fresh profile, http://support.mozilla.com/en-US/kb/managing+profiles, and test again. If you still see the issue, please update this bug. If the issue is gone, please set the status to RESOLVED > WORKSFORME.
Whiteboard: [CLOSEME 2010-11-01]
|
|
||
Comment 5•15 years ago
|
||
This bug serves no useful purpose.
XHR is same origin without CORS, so comment 0 is not accurate. But JS (and even CSS without JS) can tickle sites other than the page's origin, so Ajax is just the last shoe to drop, not the first.
Users don't know, won't know what to do given more triggers to pull, will shoot their feet off and complain, and won't be measurably more secure anyway.
/be
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•