Closed Bug 456481 Opened 11 years ago Closed Last year
RSS display-content mode usability impaired by lack of JS support (for feed article summary)
Besides the "Bob & Carol & Ted & Alice" scenario (Wiretap) I'd like to name another movie title: "What about Bob" Bob likes to use RSS feeds to view his "opt-in" RSS content. And many new users of TB would say that feeds in TB just don't work. For instance: http://www.nasa.gov/rss/image_of_the_day.rss for simple images. Does bug 458883 constitute due diligence against the specially crafted, and malicious RSS feed that wants to know where my profile is located on my HD. If so, can we move forward on making feeds actually work for common usage.
Depends on: 453928
No, no change to what properties we have CAPS check for will affect the fact that quickstubs mean CAPS may not get called at all.
Summary: RSS feeds usability severely limited → RSS display-content mode usability impaired by lack of JS support
Loading content isn't quite unheard of (RSS Bandit will do it, but only for feeds with *no* description, not for ones where it suspects the description is lame), though making it possible to open the web page in a separate browser tab within the feed reader app is vastly more common. The problem is we're uniquely positioned to be screwed: a typical client app doesn't have to worry about privilege escalation, because it isn't implemented in JS (though they still have to worry about local zone issues and leakage in combined views, so many still do disable all script and plugins), and even if they did have to worry about privilege escalation, they would have vastly less to lose than we do, while an online reader has to prevent all script but can just open web pages in the browser, because hey, it's the same program. Then there's the email integration: I suppose it's possible that there's a feed reader somewhere that does both "load this web page" and "email this web page" but if there is, they certainly aren't going to feel responsible for any wiretap, while we're responsible from end to end.
email#feeds#newsgroups. So why should we attempt to apply common rules. Though you can't control the content of your inbox, the user specifically subscribes to feeds and news. How difficult would it be to break out a separate pref for JS in feeds and news. Hidden would be fine, those that want it would find it.
Just a comment from an end user: I agree that this makes news feeds less useful than they could be. I subscribe to several feeds that include content that I cannot see and unless they specifically mention in the text that there is content, then I don't know I am missing it unless I click on the link to open it in a separate window. If you could get this working, it would be great. I love the news feed feature in Thunderbird; it has really lessened the time I need to spend using my browser to get info about my interests. I just process it all as incoming mail. :-)
I am using 3.0b3 and video content in my feeds still doesn't show up.
Ah yes it's only enabled when showing it in the web page mode.
Flags: wanted-thunderbird3? → wanted-thunderbird3-
(In reply to comment #10) > Ah yes it's only enabled when showing it in the web page mode. Seems like sometimes yes, and sometimes no. Viewing http://www.nasa.gov/rss/image_of_the_day.rss in web page mode shows the noscript alert.
We could morph it, I suppose, though as soon as bug 504965 gets fixed, we'll have to morph it back.
(In reply to Joe Sabash from comment #11) > (In reply to comment #10) > > Ah yes it's only enabled when showing it in the web page mode. > > Seems like sometimes yes, and sometimes no. > Viewing http://www.nasa.gov/rss/image_of_the_day.rss in web page mode shows > the noscript alert. The noscript problem in web page mode is due to a slipup in how content policy sets js allowed. There is a fix in bug 662907 pending tests. JS runs in http content in messagepane, which feed web pages are.
Assignee: nobody → alta88
Comment on attachment 8373459 [details] FeedSummaryContent Speaking as someone who will refuse to review a patch touching content security policies: I agree, in principle, that RSS need not require the same strict measures that mail has. That said, I feel that is more important that there be no way for a mail message to escape the mail sandboxing. Balancing these two requirements may ultimately require sending RSS feed summaries down different code paths than mail at levels beyond just content policy. Another thing to keep in mind is that the Mozilla brand is in part built upon stronger privacy commitments than most of our competitors. Enabling something that can trigger external resource loads based on attacker-controlled logic (and thus communicate data) is to me unacceptable without sufficient measures in place to prevent the communication of sensitive data (a category which includes base URLs of messages at present).
Comment on attachment 8373459 [details] FeedSummaryContent I think I'm in vague alignment with Joshua. My specific concerns would be: - The general notion of displaying as a summary, or simple view, is perceived by a lot of folks as a "safe" way of displaying items within Thunderbird. The more complex displays are for the full functionality that the sender intended. - It is unclear from the rss spec if the description is really meant to be a rich field, it seems html is allowed, but it is unclear about anything else. - The security implications would warrant further thinking and investigation, especially with how this relates to other messages, and I think I'd want a security review at a minimum. The first item is really the biggest issue for me. Whilst I can understand the desire to allow as much as possible, I think there's a pre-existing expectation here from the user.
Attachment #8373459 - Flags: feedback?(standard8) → feedback-
Comment on attachment 8373459 [details] FeedSummaryContent I don't think I have anything useful to add to Standard8 or jcranmer's feedback.
We've recently had security bugs where this subject may have been discussed. Do they put this bug in a new light, and is this bug perhaps a duplicate?
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → WONTFIX
Summary: RSS display-content mode usability impaired by lack of JS support → RSS display-content mode usability impaired by lack of JS support (for feed article summary)
You need to log in before you can comment on or make changes to this bug.