Page 1 of 1
trusted iframes on non trusted pages
Posted: Thu Jun 10, 2010 6:02 pm
by al_9x
Included scripts from trusted domains do not execute on non trusted pages, but iframes from trusted domains on non trusted pages do run.
Is this behavior dictated by Fx script permissions capabilities or a deliberate design choice? Perhaps it would it make sense to optionally block scripts on trusted iframes when included on non trusted pages?
Re: trusted iframes on non trusted pages
Posted: Thu Jun 10, 2010 7:34 pm
by Giorgio Maone
al_9x wrote:Is this behavior dictated by Fx script permissions capabilities or a deliberate design choice?
It is a deliberate design choice.
al_9x wrote:
Perhaps it would it make sense to optionally block scripts on trusted iframes when included on non trusted pages?
They're already blocked when one of the ancestors is untrusted.
You can make them blocked also for non-trusted ancestors by setting the
noscript.docShellJSBlocking about:config preference to 2.
Re: trusted iframes on non trusted pages
Posted: Thu Jun 10, 2010 8:07 pm
by al_9x
Giorgio Maone wrote:You can make them blocked also for non-trusted ancestors by setting the
noscript.docShellJSBlocking about:config preference to 2.
Sorry, missed that. What do you think of making the icon (and the menu?) reflect docShellJSBlocking=2 somehow? Perhaps a slightly different icon when trusted inclusions on untrusted pages are allowed (frames with docShellJSBlocking=1) vs. not (frames with docShellJSBlocking=2 and scripts)?
Re: trusted iframes on non trusted pages
Posted: Thu Jun 10, 2010 8:23 pm
by Giorgio Maone
al_9x wrote:What do you think of making the icon (and the menu?) reflect docShellJSBlocking=2 somehow? Perhaps a slightly different icon when trusted inclusions on untrusted pages are allowed (frames with docShellJSBlocking=1) vs. not (frames with docShellJSBlocking=2 and scripts)?
I don't want to go there. We've got already tons of icons, and this is quite a fringe option.
Re: trusted iframes on non trusted pages
Posted: Thu Jun 10, 2010 8:47 pm
by al_9x
Actually, I just realized there is no need for another icon.
will do, same as with scripts from a trusted domain on a non trusted page. There is after all a significant difference between nothing running and something running, the icon should reflect it.
Re: trusted iframes on non trusted pages
Posted: Thu Jun 10, 2010 9:56 pm
by al_9x
The above also applies to the default case (docShellJSBlocking=1) with a three level frame hierarchy
non trusted root (L0), non trusted L1, trusted L2 - L2 script runs, icon is
non trusted L0, untrusted L1, trusted L2 - nothing runs, icon is still