Closed Bug 42678 Opened 25 years ago Closed 25 years ago

Javascript for mail and news is enabled by default

Categories

(MailNews Core :: Security, defect, P2)

Product:
MailNews Core
Component:
Security
Platform:
x86
Windows NT
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: adamlock, Assigned: security-bugs)

References

Details

Create a new profile. Run Mozilla and goto the Preferences...|Advanced. The option "Enable Javascript for Mail and News" is checked. Javascript in mail is a horrible thing as anyone who's had porno popups appear when they've opened some spam can tell you. It should be disabled by default and people who *really* want it should have to go into the settings to enable it.
Hmm, interesting issue. I think I'll solicit some opinions on the newsgroup. Let me move this to n.p.m.security and see what comes of it.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
cc: sol and putterman since I'm not sure if our mail start page has any JavaScript in it.
lchiang, Response on the newsgropu has been overwhelmingly positive for this change; I'd like to do it. If your start page contains js, can the js be removed? Is it crucial?
I'm not sure what contents are on the Netcenter Start Page. The other thing that disabling JS on default may "break" would be vcards. If someone received a message with a vcard, s/he won't be able to see/use the two buttons for the vcard: "View Complete Card" and "Add to Address Book". I will send email separately to Sol to respond. I think this is a Marketing call/user perception/security item (at least for Netscape 6).
Well, this has been our default for years (JS enabled). I would rather keep it that way. We have customers with applications that require it. If we change a default, now their custom apps instantly "break". - rhp
We may need to have a different default for Netscape 6 vs. Mozilla here since Mozilla wants JS disabled as a default. If that is the desired outcome, then this fix should only apply to Mozilla and not the commercial tree.
Though it might inconvenience a few customers to have this feature disabled, I think we should consider the worst case scenario here. What if someone found a nasty Javascript exploit so that when someone opened an email their machine was trashed, or everyone in their address book was sent a copy of the message? Do we want 99.99% of our users to be vulnerable or immune to such a hazard by default? So what if we inconvenience a few customers? If this is the biggest problem they face moving to Communicator 6.0 they should consider themselves lucky. Besides if they *really* want Javascript to be enabled they should use CCK and build their own distributable with the feature turned on.
I disagree with the change proposed here. The pref to enable JS in mail was always intended as a safety valve in case some terrible exploit was discovered. It was never intended to be the default setting, and I think our (Netscape's) goal of promoting rich email is damaged by turning it off. I don't care if the mozilla folks want JS disabled by default in mail, but I think JS in mail should be enabled in Netscape builds. Of course, if you (mstoltz) think our JS security story is not robust enough to support this, then I'd reconsider. In 4.x, our JS security story was good enough to support this.
The mail start page does not currently use JavaScript. However, I tend to agree with Rich (and now Phil) that we have provided JavaScript enabled for years, and that there are many legitimate uses for JavaScript in email messages which we would break by switching the default behavior.
If marketing folks want this kept on on NS6, then we'll leave it on. I'll see about turning it off in Mozilla only, since response from the Mozilla community seems to favor that. Phil, when you ask if our JS is robust enough, I believe it will be so by FCS. I think the issue here is not damaging JS exploits so much as annoying spam which opens browser windows, etc, but if it's Netscape's position that such things should be allowed, then so be it. Perhaps we could offer users a script which configures a "spam-free mode" which could do such things as restricting the use of Javascript or simply restricting pop-up windows. I think a lot of users would appreciate this.
What mozilla.org does with Mozilla is mozilla.org's decision. As for N6, I agree with Sol that there are almost certainly legitimate uses for this functionality, and there may well be enterprise clients who depend on this. We don't have the PM cycles to investigate the issue at this late stage in the development cycle. We're trying to minimize risk & get this product out the door, so I strongly urge that we make this bug WONTFIX for Netscape 6. (mozilla.org can do whatever it wishes.) We can always revisit the question for 6.1 if we wish. In the meantime, people who want to turn this off are already able to do so. Mitch, please determine whatever mozilla.org wants & do that for the Mozilla product, and then close this bug. Thanks!
Response to this proposal from Netscape Marketing has been a resounding no. How would people feel about disabling JS in mail/news by default in Mozilla, but not in NS6?
Since this comes down to whether Mozilla wants this, I'll cc: asa who is the Mozilla QA person.
QA Contact: lchiang → asa
Also cc'ing brendan since he and I were involved in the first implementation of this pref, and so he can represent "what mozilla wants"
> I think the issue here is not damaging JS exploits so much as > annoying spam which opens browser windows, etc, but if it's Netscape's > position that such things should be allowed, then so be it. I wouldn't phrase it quite that way. It's my position that there are legitimate uses for JS in rich email, and that those outweigh the cost of annoying uses for JS in email. If any individual disagrees, they have the pref. I have no problem with the mozilla version of the product having a different default value for the pref. We do that in a number of places anyway.
Does this bug need to be marked Netscape Confidential?
Group: netscapeconfidential?
Mozilla wants lots of controls, for shutting off JS popup windows, JS status bar spammers, etc. We have some bugs already on file requesting such capabilities (bug 858? I think that's the number). There haven't been intense arguments in such bugs about what the default should be. Re: scriptability of plugins, at least Braden McDaniel was vociferous in advocating an incompatible (off) setting for the pref. In the mean time, lots of VB mail virii have come on gone, with lots of bad press (though too little attaches to MS -- it's as if people assume Outlook came from heaven and they have no choice). With JS and XPConnect, I'm very afraid. I have no problem personally with defaulting JS to "off" in mail/news. However, "what Mozilla wants" is best determined by asking in a newsgroup, not by asking little me in this bug. How about posting to m.mailnews and m.security with followups set to m.mailnews? /be
How about asking in installer (for those who use it) if you want this? However, I think it could be easy to write a self replicating script that opens lots of new windows, which will lead to the user havign to close them all, or even crash us. What would be good is if the page actually has js, and it is turned off, to have a pop-up telling you that it is off. One thing for js - some newsletters are sent with ads, and they often use js. but then again, that is a positive sideaffect (no ads) for various memebrs ;)
Could this not be asked when setting up a new mail account? As far as migration, if they have it en/dis-abled in 4.x, then they should have it retain that state in Mozilla as well, as seems to be the case right now. If not, then the standard should remain the same, simply because it is what people expect. No need to rock the boat. The switch is there, they can flip it if they feel the need.
Jason, I agree. This is not the time, as much as I like the idea. Marking WONTFIX but maybe we cna consider this later.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → WONTFIX
Don't mark this WONTFIX if you think it should be reconsidered later. Mark it milestone future and add HELP WANTED to the status whiteboard, but leave it open, ok? Maybe find someone not burdened by nsbeta2 concerns to own it, too. /be
I think that the general concensus in the newsgroups and irc has been to turn it off by default in mozilla. I suspect that mozilla's audience is sophisticated enough to turn it on if they want it.
All right, I've heard convincing arguments for turning this off by default in Mozilla. Reopening, and I'll make this change. Since this is Mozilla-only and shouldn't affect stability, I suppose I don't need Netscape checkin approval...or do I?
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Target Milestone: --- → M17
updating QA contact
QA Contact: asa → czhang
Why would you need netscape.com approval? If you work for them (happenstance!) you may have to farble their commercial tree so its pref defaults differently. But please do disable JS by default in cvs.mozilla.org's mail/news. Thanks,
Status: REOPENED → RESOLVED
Closed: 25 years ago25 years ago
Resolution: --- → FIXED
Done.
Looks like commercial tree farbling has not been done. Reopening. Verification must include JS enabled in mail in commercial build.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
http://beckett.mcom.com/commercial/source/modules/libpref/src/init/all-ns.js#11 Phil, I checked this in at the same time. Reclosing.
Status: REOPENED → RESOLVED
Closed: 25 years ago25 years ago
Resolution: --- → FIXED
Sorry Mitch. I looked in commercial bonsai, which doesn't show your change. ???
verified, JS turned on by default in mail&news for NS6 commercial build, also tested signed script in mail, it is working fine. pass the bug to asa@mozilla.org to verify in mozilla build
QA Contact: czhang → asa
re-opening. It looks like javascript is still enabled in mailnews even though the pref is unchecked. It seems that checking or unchecking the Advanced pref has no effect. tested with 082308 mozilla build on Mac
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
nsbeta3/p2
Keywords: nsbeta3
Priority: P3 → P2
This should be fixed now.
Status: REOPENED → RESOLVED
Closed: 25 years ago25 years ago
Resolution: --- → FIXED
verified 092505 mozilla builds do not have enable javascript in mail-news set to yes. Javascript in mail-news is not enabled by defualt for mozilla builds.
Status: RESOLVED → VERIFIED
*** Bug 54141 has been marked as a duplicate of this bug. ***
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.