Open Bug 969037 Opened 6 years ago Updated 6 years ago
Frameinjection initiated by JS should be prevented
In addition: changing the src attribute using js should be block as well as the creation of iframes using js iFrames that are in the original sourcecode have to be checked by antivirus software still which should cause no additional issue (we don't want to block legal usage like YouTube comments (G+) and Google Ads etc.)
mmh...so you think it would bombard the user with iFrame warnings? (pop-ups are a standard as well and still Mozilla implemented methods to prevent invisible execution of scripts etc. because it was misused. Or is the blocking of pop-ups part of the standard now?) can you give an example what jquery uses iFrames in Firefox for what cannot get achieved with Ajax? for me it's mostly a layout option without a technical background so I would appreciate it if you can explain this a bit further or give me a link with further informations so that I can look it up myself ;)
> mmh...so you think it would bombard the user with iFrame warnings? Yes. > and still Mozilla implemented methods to prevent invisible execution of scripts No, Mozilla implemented mitigation measures against malicious behavior that harmed users but was very rarely used by sites users cared about. The iframe situation is different. > can you give an example what jquery uses iFrames Sure. The function following the comment at https://gist.github.com/rwaldron/8720084#file-jquery-js-L5432 is called on pretty much any jQuery page and creates an invisible iframe in many cases.
does this iFrame workaround apply to Firefox or is Firefox able to detect the default display directly with elemdisplay() or actualdisplay()? If Firefox doesn't use the iFrame because it is a workaround for other browsers then the example will be wrong.
At least Thunderbird should prevent such iFrames in my opinion.
> does this iFrame workaround apply to Firefox Yes. > At least Thunderbird should prevent such iFrames in my opinion. Thunderbird doesn't run script (unless you go out of your way to turn it on, which you shouldn't), so all this is totally irrelevant to Thunderbird.
Mozilla could also work together with the W3C and the query developers to implement proper standards and replace these workarounds
You need to log in before you can comment on or make changes to this bug.