Last Comment Bug 873709 - Firefox v23 - "Disable JavaScript " Check Box Removed from Options/Preferences Applet
: Firefox v23 - "Disable JavaScript " Check Box Removed from Options/Preference...
Status: RESOLVED INVALID
:
Product: Firefox
Classification: Client Software
Component: Preferences (show other bugs)
: 23 Branch
: All All
: -- normal with 8 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
: 920066 965443 (view as bug list)
Depends on:
Blocks: 851702
  Show dependency treegraph
 
Reported: 2013-05-17 17:48 PDT by JS_SPYWARE
Modified: 2014-01-29 12:18 PST (History)
34 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Screen Shot 2013-05-17 at 8.45.29 PM.png (93.19 KB, image/png)
2013-05-17 17:48 PDT, JS_SPYWARE
no flags Details

Description JS_SPYWARE 2013-05-17 17:48:29 PDT
Created attachment 751273 [details]
Screen Shot 2013-05-17 at 8.45.29 PM.png

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:23.0) Gecko/20130517 Firefox/23.0 (Nightly/Aurora)
Build ID: 20130517004016

Steps to reproduce:

Firefox Automatically Updated to v23 in the Aurora Channel, and even though I had deliberately disabled JavaScript, the update re-enabled JavaScript, and removed the "Disable JavaScript" option from the settings applet.


Actual results:

The ability to disable JavaScript is now obfuscated, and users are deliberately discouraged against manipulating their JavaScript preferences. This is wrong, and inhibits a users understanding of what happens when they load a web page.

The following is not an acceptable work around:
about:config > javascript.enabled 

This destroys a non-technical user's grasp of the differences between static HTML and programatically manipulated HTML. It hides the setting amidst hundreds of other obscure settings, and does not emphasize the extremely powerful tool that JavaScript is, and the fact that it is optional.


Expected results:

When updating Firefox, my personal settings should not be disturbed. If I have disabled JavaScript, it may be for a very good reason. The JavaScript setting should be nearly at my fingertips, as a native setting, with out the assistance of an add-on. 

In the preferences applet, it's about 5 clicks deep.

In the "about:config" registry, I must first KNOW that the registry exists, and know what to type to find it. I must bypass a warning, assuring that I understand the nature of the settings I will be "tampering" with. I must know to search for the registry key. I must figure out what registry key to search for. I must type in the search string correctly and locate the proper setting, and I must change the setting properly. 

Take note that there is cognitive dissonance in the idea that changing settings in "about:config" may be dangerous, even though this is the only way to disable JavaScript now, and that leaving JavaScript enabled at all times is not "universally safe." Please don't pretend that it is.
Comment 1 Mihaela Velimiroviciu (:mihaelav) 2013-05-30 05:19:28 PDT
Mozilla/5.0 (X11; Linux i686; rv:23.0) Gecko/20130529 Firefox/23.0

WFM when updating Aurora from 22.0a2 to 23.0a2: JS remains disabled. Indeed, the JS enable/disable option is no longer available in the preferences pane.
Comment 2 Mihaela Velimiroviciu (:mihaelav) 2013-06-10 06:50:12 PDT
(In reply to Mihaela Velimiroviciu [QA] (:mihaelav) from comment #1)
> Indeed, the JS enable/disable option is no longer available in the preferences pane.

Is that preference really meant to be removed?
Comment 3 :Gijs Kruitbosch (away 26-29 incl.) 2013-06-10 06:56:35 PDT
(In reply to Mihaela Velimiroviciu [QA] (:mihaelav) from comment #2)
> (In reply to Mihaela Velimiroviciu [QA] (:mihaelav) from comment #1)
> > Indeed, the JS enable/disable option is no longer available in the preferences pane.
> 
> Is that preference really meant to be removed?

Yes.
Comment 4 Gwynne Raskind 2013-06-30 22:29:29 PDT
(In reply to :Gijs Kruitbosch from comment #3)
> (In reply to Mihaela Velimiroviciu [QA] (:mihaelav) from comment #2)
> > (In reply to Mihaela Velimiroviciu [QA] (:mihaelav) from comment #1)
> > > Indeed, the JS enable/disable option is no longer available in the preferences pane.
> > 
> > Is that preference really meant to be removed?
> 
> Yes.

This is an extreme step backwards in Web browsing safety. As much as I recognize that sites on the modern Web generally don't work without JavaScript, there are more than enough legitimate reasons to disable it to leave the option in a place where non-expert users can find it.
Comment 5 Masatoshi Kimura [:emk] 2013-06-30 23:24:43 PDT
The "javascript.enabled" pref is still available via about:config. (It is reset only once when updating to Firefox 23.)
NoScript will give better and finer control of script execution.
Comment 6 spencer 2013-06-30 23:29:51 PDT
If you are so concerned about your safety that you do not trust JavaScript (which is very well regulated by Firefox) then you probably shouldn't trust Firefox either.
Comment 7 spencer 2013-07-01 00:34:30 PDT
I have no business commenting here. Apologies.
Comment 8 Mathias Bynens 2013-07-01 01:22:19 PDT
Note that the capability to enable/disable JavaScript easily will return in Firefox 24’s developer tools. See https://twitter.com/davidbruant/status/351415593141940224.
Comment 9 Joe Walker [:jwalker] (needinfo me or ping on irc) 2013-07-01 01:52:36 PDT
(In reply to Mathias Bynens from comment #8)
> Note that the capability to enable/disable JavaScript easily will return in
> Firefox 24’s developer tools. See
> https://twitter.com/davidbruant/status/351415593141940224.

There are a number of legitimate reasons for disabling JavaScript. The developer tools feature targets the case where a web developer wishes to know how their site works when viewed by someone without JavaScript enabled. It's not designed as a replacement for a global JS on/off switch. about:config and NoScript etc are a better replacement IMHO.
Comment 10 Mikko Ohtamaa 2013-07-01 02:12:43 PDT
I am not a Firefox developer and I very welcome this setting. Even though it is very understandable people may see this change as evil, there is a positive goal and it's limiting the users ability to break their software.

http://limi.net/checkboxes-that-kill/

Namely, people in IT support thank you. 

If the high level of security is something you worry, you are disabling JavaScript per-site basis, then you are probably already using extensions like NoScript.
Comment 11 Blake Petersen 2013-07-01 13:16:58 PDT
I would like to echo Mikko's welcoming of this feature. As a web developer, we have become ever more reliant upon JavaScript to allow for some of our more advanced functionality to exist.

When leveraging SaaS platforms, developers are often limited to what they are allowed to do with backend code base, forcing use of client-facing scripting languages. 

Having this option seen by average, non-technical users allows for them to essentially break this client-facing scripting language without good reason. One may argue that having this option readily seen by average users may encourage them to question whether they need JavaScript, "if it can be turned off, there must be something scary about it, might as well just turn it off, don't know what it does but definitely don't want my identity stolen somehow..." *click*.

For users who know they need to have javascript disabled, they will know that they need to go into the config and manually turn it off, something the average user wouldn't know to do. It's 5 clicks, instead of 3. I feel this is an acceptable increase in steps if it allows for less users being able to unintentionally hobble their web browsing experience because of unwarranted paranoia. Once it's added to dev tools, may be even less steps to turn it off, ultimately. 

JS, like CSS, should not be able to be turned off so easily by users. It's an essential part of the modern web.
Comment 12 Duncan Bayne 2013-07-01 17:40:05 PDT
Regardless of whether or not to provide a UI option, this:

"(It is reset only once when updating to Firefox 23.)"

... is a serious usability bug.  Personally, I don't expect an upgrade to silently change my previously-configured settings, *especially* in the case where one of those settings is non-default.

At the very least, a warning dialog would have been appropriate.
Comment 13 kévin lepeltier 2013-07-02 03:37:23 PDT
http://www.mozilla.org/en-GB/about/manifesto/

Où est le "The Mozilla Manifesto"

-Individuals’ security on the Internet is fundamental and cannot be treated as optional.
-Individuals must have the ability to shape their own experiences on the Internet.

The spirit of mozilla sacrificed for a checkbox?
Is this resonable?

Is not our role to make the web more hack?
Comment 14 Noddy Long 2013-07-02 04:00:50 PDT
As a firefox user, just want to know if "Disable JS" is removed, what I should do in this kind of situation?
"What to do When a Website Won’t let you Leave"
http://cyberarms.wordpress.com/2010/03/10/what-to-do-when-a-website-wont-let-you-leave/
This blog suggest to kill the browser's process. I did this on IE but I hate to do that.
However on Firefox I find disable JS will let me close that particular annoying tab without kill other tabs or the whole browser all together. Then I could easily enable JS again.
So, If "Disable JS" is removed, are there any better way to solve this, without any add-on or plugin's help?
Comment 15 :Gijs Kruitbosch (away 26-29 incl.) 2013-07-02 04:35:49 PDT
Some clarifications:
- This preference is still available in about:config.
- There are add-ons such as NoScript or SettingSanity that will do what you want with more easily accessible UI.

(In reply to Noddy Long from comment #14)
> As a firefox user, just want to know if "Disable JS" is removed, what I
> should do in this kind of situation?
> "What to do When a Website Won’t let you Leave"
> http://cyberarms.wordpress.com/2010/03/10/what-to-do-when-a-website-wont-let-
> you-leave/

Pages that show repetitive dialogs will have a checkbox "Prevent this page from showing more dialogs", and that will let you exit the page. If you regularly encounter such problems (unlike most of our users), I guess I'd recommend looking into an add-on such as the aforementioned to help you deal with it.

(In reply to kevin from comment #13)
> http://www.mozilla.org/en-GB/about/manifesto/
> -Individuals’ security on the Internet is fundamental and cannot be treated
> as optional.
> -Individuals must have the ability to shape their own experiences on the
> Internet.

Turning JS off completely is the wrong security/usability tradeoff for the vast majority of users.

The ability to shape your experience (including turning of JS) is offered in many different ways. Not everything needs to be in primary browser UI. We did not actually remove a choice, just reduced the visibility of that particular choice. That does not go against either of these principles in the manifesto.

(In reply to Duncan Bayne from comment #12)
> Regardless of whether or not to provide a UI option, this:
> 
> "(It is reset only once when updating to Firefox 23.)"
> 
> ... is a serious usability bug.  Personally, I don't expect an upgrade to
> silently change my previously-configured settings, *especially* in the case
> where one of those settings is non-default.
> 
> At the very least, a warning dialog would have been appropriate.

The removal of this preference UI is noted in the Aurora release notes, and will be in the release notes as this change goes through our release trains.

Note that if we removed the preference from the UI but left it disabled, this would make life really hard for non-expert users that accidentally changed this, because they're a lot less likely than you are to be able to find out where to change this back.

As far as warning the user in a more visible way is concerned: If you, with full intent and full knowledge, want to change this preference, you are by definition a technologically advanced or even expert user.

If you noticed anything, and consider the new (enabled) behaviour 'broken', you are likewise techy/web-literate enough to know where to look to change it (or to do a web search to find out). The people who this preference was breaking the web for aren't, and they are by far the majority (yes, we do user research about how many of our users, statistically, are technologically advanced and how many are not). More generally, "add more dialog boxes/infobars" is practically never a solution.


Mikko and Blake, thank you for your support - keep on rocking the free web!

Anyone else who would like to comment: please note that this change was not made lightly; if you believe you have convincing arguments against it or would like it changed, instead of posting here please post to the firefox-dev mailing list: https://wiki.mozilla.org/Firefox/firefox-dev
Comment 16 tomasek 2013-07-02 08:54:47 PDT
Please, bring this option back.
Comment 17 Radim Kolar 2013-07-03 05:20:30 PDT
I agree with this change. Power users will install noscript.
Comment 18 Withy14 2013-07-03 06:03:05 PDT
Thanks a lot for removing such feature. It was really annoying to me and I rather use about:config and addons to do their job. Oh wait - this was sarcastic. To be honest as a lot of people here and on other sites states - JS is not secure and disabling it might cause some (a lot of pages not working properly) however what I don't fully understand is how can it break Firefox itself. If I disable JS than it affects sites not Firefox!!!  For this "updates and features" I disabled automatic updates and I update only after checking all the changes and if they bring something new. Instead of focusing on improving the performance and stability of this browser you just remove one feature from users eyes which I consider as security issue.
Comment 19 jimbo1qaz 2013-07-04 17:55:19 PDT
This is not a good decision. It is a very important feature to have. I suggest not removing it until the Inspect GUI is finished.
Until then, I suggest putting in a dialog box saying that it can break sites with a check box saying something like "I know what I'm doing" . And maybe on the next browser restart, put up a dialog saying "Javascript is disabled, this can cause problems, you should re-enable" with a "I know, don't ask next time" checkbox or button.
I do think the Inspect Element may be a better place for it, but until then, don't change what we need and love.
And by the way this constant "simplification" of the browser is turning it into another Chrome, which is exactly what I 'don't' want. Chrome is very inflexible in its configurations. Remember, if you keep trying to idiot-proof any software, you're treating all your users like idiots.
Comment 20 Shelley Powers 2013-07-05 09:16:01 PDT
I agree, this is _not_ a good decision. 

It is a pain when there are people who disable JavaScript. We have an option, though. We can just design our sites to use JS and those people are just out of luck. Everyone is given a choice. 

With this, you're taking choice away, and you're doing so for purely geeky reasons, not because of performance, or stability, or security. Just because it's so much more cool if we just don't have to deal with people having free choice. 

You're putting the option into a context the average person won't know about or understand. You're changing their setting without their knowledge. You're demanding people use add-ons that might confuse them, or again, they don't know about. 

This is a script kiddie move, not one I would expect from a mature, responsible product. Or are "mature" and "responsible" no longer cool enough for Mozilla?
Comment 21 GavinBrelstaff 2013-07-05 14:34:47 PDT
The venerable NOSCRIPT HTML tag is available to any developer in order to
tell there user to switch javascript back on again.

Surely we don't need to pretend that the options doesn't exist.
Web developers won't have that option.

Put the Preference option back again guys - and stop being to reductive please.
Pls stop pretending that removing a useful feature a release is doing development work.
Comment 22 Dan Q (RedBlade7) 2013-07-10 14:28:27 PDT
This is shocking and dangerous. I don't think I can recommend Firefox to anyone ever again, including clients.
Comment 23 Blake Petersen 2013-07-10 16:38:42 PDT
The option is in about:CONFIG. The option is not gone. It is been moved to a place that ensures users fiddling with it have a bit more insight as to how the browser functions and the implications of disabling JS. 

I don't know why everyone is ignoring this fact. It's not gone, plain and simple.

What's more, any user who would know they would like to not have JS and haven't yet found the setting, a simple Google search should get them where they need to be, about:CONFIG, search javascript.enabled, change from true to false. Stupid easy. 

If they are not sophisticated enough to help themselves in such a manner, I would argue they are not sophisticated enough to understand the implications of disabling JS and should be discouraged from doing so as much as possible.

I'm sure if there was an option to allow users to only accept secure urls, people would be clicking it like crazy too, but we all know what would happen if that was the case. There is no good reason to do this aside from unwarranted hyper-paranoia and would completely hobble the web for that user. Why people are wanting to allow for the same thing to happen with JS is beyond me. 

And, again to those refusing to acknowledge this simple fact, the option is still available! about:CONFIG -> javascript.enabled -> true
Comment 24 jimbo1qaz 2013-07-10 17:18:36 PDT
(In reply to Blake Petersen from comment #23)
> The option is in about:CONFIG. The option is not gone. It is been moved to a
> place that ensures users fiddling with it have a bit more insight as to how
> the browser functions and the implications of disabling JS. 
> 
> I don't know why everyone is ignoring this fact. It's not gone, plain and
> simple.
> 
> What's more, any user who would know they would like to not have JS and
> haven't yet found the setting, a simple Google search should get them where
> they need to be, about:CONFIG, search javascript.enabled, change from true
> to false. Stupid easy. 
> 
> If they are not sophisticated enough to help themselves in such a manner, I
> would argue they are not sophisticated enough to understand the implications
> of disabling JS and should be discouraged from doing so as much as possible.
> 
> I'm sure if there was an option to allow users to only accept secure urls,
> people would be clicking it like crazy too, but we all know what would
> happen if that was the case. There is no good reason to do this aside from
> unwarranted hyper-paranoia and would completely hobble the web for that
> user. Why people are wanting to allow for the same thing to happen with JS
> is beyond me. 
> 
> And, again to those refusing to acknowledge this simple fact, the option is
> still available! about:CONFIG -> javascript.enabled -> true

This is not an easy way to do it. Often I want to disable JS for one site to get around tracking, blocking, surveys, etc. I know NoScript is a better option, but it's not always convenient to enable a restart extension for one site. And the updates, and anti-Adblock... enough to make my head hurt.
I think nasty dialog boxes should be enough to put off most noobs. THe others... they belong on http://www.rinkworks.com/stupid/ and should be immediately euthanized or at least confined to a Net-free zone.
Comment 25 Duncan Bayne 2013-07-10 17:21:54 PDT
> And, again to those refusing to acknowledge this simple fact, the option is
> still available! about:CONFIG -> javascript.enabled -> true

I have no problem with the location of the option; my complaint is that upgrading Firefox causes the option to be turned off.  *That* is IMO a bug.
Comment 26 Shelley Powers 2013-07-10 17:29:03 PDT
(In reply to Blake Petersen from comment #23)
> The option is in about:CONFIG. The option is not gone. It is been moved to a
> place that ensures users fiddling with it have a bit more insight as to how
> the browser functions and the implications of disabling JS. 
> 
> I don't know why everyone is ignoring this fact. It's not gone, plain and
> simple.
> 
> What's more, any user who would know they would like to not have JS and
> haven't yet found the setting, a simple Google search should get them where
> they need to be, about:CONFIG, search javascript.enabled, change from true
> to false. Stupid easy. 
> 
> If they are not sophisticated enough to help themselves in such a manner, I
> would argue they are not sophisticated enough to understand the implications
> of disabling JS and should be discouraged from doing so as much as possible.
> 
> I'm sure if there was an option to allow users to only accept secure urls,
> people would be clicking it like crazy too, but we all know what would
> happen if that was the case. There is no good reason to do this aside from
> unwarranted hyper-paranoia and would completely hobble the web for that
> user. Why people are wanting to allow for the same thing to happen with JS
> is beyond me. 
> 
> And, again to those refusing to acknowledge this simple fact, the option is
> still available! about:CONFIG -> javascript.enabled -> true

It's available for developers and others in the know, but not available to the average person who has come to expect that an option for enabling/disabling JavaScript is available in settings—not based on some esoteric technique they may or may not understand, or even be comfortable using. 

And then to disable the person's setting without their knowledge...this is the height of hubris.
Comment 27 Blake Petersen 2013-07-10 20:27:39 PDT
Whoa, not all at once! ;D

(In reply to jimbo1qaz from comment #24)
> (In reply to Blake Petersen from comment #23)
> This is not an easy way to do it. Often I want to disable JS for one site to
> get around tracking, blocking, surveys, etc. I know NoScript is a better
> option, but it's not always convenient to enable a restart extension for one
> site. And the updates, and anti-Adblock... enough to make my head hurt.
> I think nasty dialog boxes should be enough to put off most noobs. THe
> others... they belong on http://www.rinkworks.com/stupid/ and should be
> immediately euthanized or at least confined to a Net-free zone.

Okay, you win. Can't argue with the power of some stern system alerts and "better know what your doing, noobycakes" inline warnings. Probably would have sufficed, at least until it was integrated into the dev tools. 

And that site is GOLD! xD

(In reply to Duncan Bayne from comment #25)
> > And, again to those refusing to acknowledge this simple fact, the option is
> > still available! about:CONFIG -> javascript.enabled -> true
> 
> I have no problem with the location of the option; my complaint is that
> upgrading Firefox causes the option to be turned off.  *That* is IMO a bug.

Another might consider it quality assurance, a means of ensuring less-savvy users are set back on the right track if they had inadvertently checked it and poof, the option was gone. Those who know they want to be on the no-JS track will notice pretty quickly something's not right and hop back over. Whereas non-tech users may never notice the change. A better world is one where the non-tech users are not expected to react and the more sophisticated user is as they will be more likely and more apt to notice and remedy the issue. 

As Gijs mentioned, the decision was not taken lightly and I am sure they took into account who this would help and who this might hinder and chose the option that best worked for the Firefox user base as a whole. Unfortunately, as it usually goes, the extra work falls on the expert users to get things back to how they prefer.

(In reply to Shelley Powers from comment #26)
> 
> It's available for developers and others in the know, but not available to
> the average person who has come to expect that an option for
> enabling/disabling JavaScript is available in settings—not based on some
> esoteric technique they may or may not understand, or even be comfortable
> using. 
> 
> And then to disable the person's setting without their knowledge...this is
> the height of hubris.

I guess this is where we are going to have to agree to disagree. I simply feel if you have good reason to turn it off, you'll seek out where the setting is and turn it off. There's danger in allowing expert settings to be easily tweaked by non-expert users.

I agree, it's a pretty technical spot to be putting a pretty technical setting that has a lot of technical implications non-technical users aren't going to understand. Thank our lucky stars they did reset the setting to true or we would have a lot of lost souls on broken browsers without any possible inkling as to what or why. 

It is pretty dope to be part of the discussion thread on something considered, above all else before, the height of hubris... ;]
Comment 28 :Gijs Kruitbosch (away 26-29 incl.) 2013-07-11 01:37:23 PDT
I believe at this point, there isn't much point in repeating the same objections that have been voiced previously (see also the points I made in comment 15), and considering some of the language used I will go ahead and restrict commenting to users with editbugs. To quote Justin when this happened on bug 851702:

Bugzilla isn't a discussion forum. If you've got constructive new information please take it to firefox-dev, but this has already been debated and the bar for revisiting the issue is high. The reason for this change is explained here and in http://limi.net/checkboxes-that-kill/. If you want to disable Javascript, you can use about:config (javascript.enabled) or NoScript for even better control.

Flames are also inappropriate for Bugzilla, and repeat offenders will be disabled. See https://bugzilla.mozilla.org/page.cgi?id=etiquette.html.

[Comments are now restricted to users with the editbugs privilege -- with privilege comes responsibility, so please consider carefully before commenting if you are able.]
Comment 29 Erik Vold [:erikvold] (please needinfo? me) 2013-08-08 13:45:48 PDT
This is a UX nightmare, please revert..
Comment 30 Valerio Capello 2013-08-09 05:14:55 PDT
This change is so awkward that makes you wonder if there have been pressures from the US government, as the FBI and/or NSA recently compromised the anonymity of TOR using a zero-day JavaScript exploit.

https://blog.torproject.org/blog/tor-security-advisory-old-tor-browser-bundles-vulnerable

http://it.slashdot.org/story/13/08/06/1350206/tor-wants-you-to-stop-using-windows-disable-javascript

If this is the case, this bug should be reconsidered under these circumstances.
Comment 31 Valerio Capello 2013-08-09 05:16:47 PDT
JS Switch add-on for Firefox is a good workaround; it lets you enable/disable JavaScript with just one click:

https://addons.mozilla.org/firefox/addon/js-switch/
Comment 32 Valerio Capello 2013-08-09 05:30:56 PDT
and RightToClick add-on for the advanced JavaScript options which were removed as well (such as disable/replace context menus):

https://addons.mozilla.org/firefox/addon/righttoclick/
Comment 33 Mardeg 2013-09-24 08:21:10 PDT
*** Bug 920066 has been marked as a duplicate of this bug. ***
Comment 34 :Gijs Kruitbosch (away 26-29 incl.) 2014-01-29 12:18:25 PST
*** Bug 965443 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.