Included scripts from trusted domains do not execute on non trusted pages, but iframes from trusted domains on non trusted pages do run.
Is this behavior dictated by Fx script permissions capabilities or a deliberate design choice? Perhaps it would it make sense to optionally block scripts on trusted iframes when included on non trusted pages?
trusted iframes on non trusted pages
trusted iframes on non trusted pages
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
-
Giorgio Maone
- Site Admin
- Posts: 9527
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: trusted iframes on non trusted pages
It is a deliberate design choice.al_9x wrote:Is this behavior dictated by Fx script permissions capabilities or a deliberate design choice?
They're already blocked when one of the ancestors is untrusted.al_9x wrote: Perhaps it would it make sense to optionally block scripts on trusted iframes when included on non trusted pages?
You can make them blocked also for non-trusted ancestors by setting the noscript.docShellJSBlocking about:config preference to 2.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Re: trusted iframes on non trusted pages
Sorry, missed that. What do you think of making the icon (and the menu?) reflect docShellJSBlocking=2 somehow? Perhaps a slightly different icon when trusted inclusions on untrusted pages are allowed (frames with docShellJSBlocking=1) vs. not (frames with docShellJSBlocking=2 and scripts)?Giorgio Maone wrote:You can make them blocked also for non-trusted ancestors by setting the noscript.docShellJSBlocking about:config preference to 2.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
-
Giorgio Maone
- Site Admin
- Posts: 9527
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: trusted iframes on non trusted pages
I don't want to go there. We've got already tons of icons, and this is quite a fringe option.al_9x wrote:What do you think of making the icon (and the menu?) reflect docShellJSBlocking=2 somehow? Perhaps a slightly different icon when trusted inclusions on untrusted pages are allowed (frames with docShellJSBlocking=1) vs. not (frames with docShellJSBlocking=2 and scripts)?
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Re: trusted iframes on non trusted pages
Actually, I just realized there is no need for another icon. 
will do, same as with scripts from a trusted domain on a non trusted page. There is after all a significant difference between nothing running and something running, the icon should reflect it.
will do, same as with scripts from a trusted domain on a non trusted page. There is after all a significant difference between nothing running and something running, the icon should reflect it.Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Re: trusted iframes on non trusted pages
The above also applies to the default case (docShellJSBlocking=1) with a three level frame hierarchy
non trusted root (L0), non trusted L1, trusted L2 - L2 script runs, icon is
non trusted L0, untrusted L1, trusted L2 - nothing runs, icon is still
non trusted root (L0), non trusted L1, trusted L2 - L2 script runs, icon is
non trusted L0, untrusted L1, trusted L2 - nothing runs, icon is still
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3