Page 1 of 1
Bug 971598 - (self-xss) [meta] Mitigate "Self-XSS" attacks
Posted: Mon Mar 10, 2014 11:00 pm
by therube
Just an FYI:
Bug 971598 - (self-xss) [meta] Mitigate "Self-XSS" social engineering attacks
Note that NoScript long ago, by default, "Disabled execution of javascript: and data: URLs typed or pasted in the address bar (noscript.allowURLBarJS preference)".
Re: Bug 971598 - (self-xss) [meta] Mitigate "Self-XSS" attac
Posted: Mon Mar 10, 2014 11:06 pm
by Thrawn
I can't see any details at all on that bug?
Re: Bug 971598 - (self-xss) [meta] Mitigate "Self-XSS" attac
Posted: Tue Mar 11, 2014 2:03 pm
by therube
The Depends Bugs will have more detail.
What they're looking to do & why.
Re: Bug 971598 - (self-xss) [meta] Mitigate "Self-XSS" attac
Posted: Tue Mar 11, 2014 4:11 pm
by barbaz
Read a similar thread a while back about Mozilla trying to completely stop javascript: URLs from doing anything when typed in or pasted...
Does any of this mean that people who actually *can* vet javascript: URLs for ourselves won't be able to execute even harmless javascript from the URL bar? If so, any workarounds?
Re: Bug 971598 - (self-xss) [meta] Mitigate "Self-XSS" attac
Posted: Tue Mar 11, 2014 6:52 pm
by Giorgio Maone
barbaz wrote:
Does any of this mean that people who actually *can* vet javascript: URLs for ourselves won't be able to execute even harmless javascript from the URL bar? If so, any workarounds?
It has already been disabled long ago.
The work around is using NoScript and turning the preference on, which causes NoScript to emulate URL bar JS just like it does for bookmarklets on non-whitelisted websites.