Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Rohkem teavet

Javascript block through javascript.enabled false not working as expected in newer versions, any actual way?

  • 5 vastust
  • 1 on selline probleem
  • 5 views
  • Viimati vastas kmjh

more options

Since a few versions, around 24.0 or earlier, when you toggle javascript.enabled from true to false to block javascript, doesn't work after load a page.

Further details: 1.- load a page with javascript enabled 2.- toggle javascript preference to block javascript (javascript.enabled from true to false) 3.- if you interact with javascript elements = they still work

This wasn't this way in earlier versions.

You can check in the following page. You'll see that the only way to actually block javascript execution is to load the page with the preference javascript.enabled set to false (A.K.A. javascript blocked):

http://www.geocities.ws/jothache/event_listener.html

Note: to easy change javascript preferences, for those don't want to play with about:config you can use addons like QuickJava: https://addons.mozilla.org/en-US/firefox/addon/quickjava/

I find that how it works now, in the latest versions, it is a VERY HUGE SECURITY ISSUE as javascript is never actually blocked when the preference is toggled and AJAX (httpXMLrequest through javascript) still works so the possibilities of lost of privacy inreases, as for example, mouse tracking and send it to the server, not only as the example scripts I posted above.

The question is, is there anyway to really block javascript in the latests versions or should I report this as a bug?

Regards.

Since a few versions, around 24.0 or earlier, when you toggle javascript.enabled from true to false to block javascript, doesn't work after load a page. Further details: 1.- load a page with javascript enabled 2.- toggle javascript preference to block javascript (javascript.enabled from true to false) 3.- if you interact with javascript elements = they still work This wasn't this way in earlier versions. You can check in the following page. You'll see that the only way to actually block javascript execution is to load the page with the preference javascript.enabled set to false (A.K.A. javascript blocked): http://www.geocities.ws/jothache/event_listener.html Note: to easy change javascript preferences, for those don't want to play with about:config you can use addons like QuickJava: https://addons.mozilla.org/en-US/firefox/addon/quickjava/ I find that how it works now, in the latest versions, it is a VERY HUGE SECURITY ISSUE as javascript is never actually blocked when the preference is toggled and AJAX (httpXMLrequest through javascript) still works so the possibilities of lost of privacy inreases, as for example, mouse tracking and send it to the server, not only as the example scripts I posted above. The question is, is there anyway to really block javascript in the latests versions or should I report this as a bug? Regards.

All Replies (5)

more options

HI mjh, Definitely report this as a bug at bugzilla.mozilla.org. If you have any questions on how/what to report, here is a guide on how to report a good first bug: Good First Bug

more options

It is weird that disabling JavaScript only for that tab via docShell works, but disabling JavaScript globally not.

more options

Hi guigs2,

I only find a problem with your directions on how and what to report and it's that looks like the guide is for developers and I'm not, I'm just an user.

When I asked above if I should report I thought of a less complex method.

Can I still report as a normal user?

If not, I'd request some developer to test, confirm, as you already did, and report in place of me.

Regards.

more options

Hi kmjh, Not a problem. I tested the page you mentioned again to be sure and it looks like when you disable javascript in the about:config, the javascript in the page will not stop working until you refresh the page.

As for being able to send AJAX (httpXMLrequest through javascript) requests on a page where javascript is still interactive, this would be the specific security risk that is in question for experimentation. And it looks like it still did .

Just to make sure its the analytics information that is being referred to. There are ways to track users that are not using javascript as well (ie http://moz.com/ugc/how-to-track-website-visitors-with-j...)

But this was a pretty interesting question as well on superuser: http://superuser.com/questions/688808/how-do-i-suppress-google-tracking-wh... noscript was introduced as a work around or block scripts on the local computer in the hosts file as well.

more options

Hi guigs2,

if there is no problem in open the bug ticket being a simple user I'll report by myself (if I haven't misunderstood you). (Confirm this and I'll do myself).

About the AJAX problem, here we have a sample test that works after toggle the preference: http://www.w3schools.com/xml/xml_http.asp

I know about noscript and I don't like it. I prefer to do manually (those measures and more). What bothered me is that even toggle the preference, what in the past did the job of stopping the execution of scripts, now doesn't. In about version 24 it was only happening to event listeners not being blocked (used nowadays for dynamic events assignments). Now is with every javascript code.

About the tracking methods, I'm aware of HTTP tracking without any need of javascript. Even a simple "knock knock" on any kind of server leaves a trace.

I was just pointing that this preference stopping doing its job (stopping scripts executions) has the worst sceneario in a security way with XMLHttpRequest calls.

But one of the things that bothers me too, and it is not related to tracking, is that, in humble machines as mine, some javascript codes make drop whole performance and the preference toggle now does nothing, so the script keeps running without being able of doing anything and sometimes you don't have the option to load a page without javascript because you need some feature of that page that requires javascript what becomes "all or nothing".

Regards.