Restore option to disable Javascript

Talk about code development, features, specific bugs, enhancements, patches, and similar things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35481
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Restore option to disable Javascript

Unread post by Moonchild » 2014-04-14, 22:47

The whole "exploit" reason for disabling JS is a load of BS. That's all I have to say about it.

If JS was truly that much of a security risk, then nobody in the criminal world would go through the extensive effort to do more complex things like plugin-based exploits, DNS poisoning, MitM attacks, trojan toolbars, malware extensions, etc. They would all be using the "javascript exploits".

JS in page content is running in fully isolated compartments. If you can point me to a current, exploitable JS vulnerability that breaks out of these compartments or does something totally untoward with data it shouldn't have access to, then I (and everyone at Mozilla security) would be extremely interested to know the details. In fact, if you find one and report it to Mozilla, you may even be eligible for a "bounty" for reporting it, if it's an actual exploit.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

access2godzilla

Re: Restore option to disable Javascript

Unread post by access2godzilla » 2014-04-15, 05:34

jumba wrote:Why should a web browser be developed to block viewing of web content? I strongly believe that this is a job for the extensions and they already do it well.
A web browser should have some minimum controls over what to parse and what not to.
jumba wrote:There are many text-based web browsers to view the content as plain text that sounds more a true "power user"
Text browsers don't support JS nor displaying images so your point is moot. Although I do use Lynx in low bandwidth situations or while reading large amounts of text.
Moonchild wrote:The whole "exploit" reason for disabling JS is a load of BS.
You are of course entitled to your own opinion, but then:
Moonchild wrote:nobody in the criminal world
Criminals are just one side of the coin. There are state sponsored attacks as well, and these attacks are quite difficult to mitigate without the controls that I'm talking about.
Moonchild wrote:complex things like plugin-based exploits, DNS poisoning, MitM attacks, trojan toolbars, malware extensions
Plugin based exploits are not complex. They are easier, and almost everyone uses plugins, that's why attackers use them. The other aforementioned things are delivery mechanisms and payloads and unrelated to the topic at hand.
Moonchild wrote:They would all be using the "javascript exploits".
The reason JS exploits aren't used that widely is because they aren't as vulnerability-ridden as Flash or Java. But the occasional exploit definitely appears, and browsers do get exploited. An AV is no good when it comes to 0-days.

Also, malicious JS doesn't have to exploit the browser. This could be easily done with JS. And JS is definitely used as part of the initialisation of exploit delivery in exploit kits.

Now, you'll say, "but it is $foo's problem that they have a vulnerability, neither Mozilla's nor mine!". But that isn't how security is done. It is a process involving multiple layers of protection ("defense in depth"). I should have some amount of control about whose code to trust and whose not to, especially when it comes to executable code. Inviting a burglar in my house, and then trying to see that he cannot steal my belongings is certainly not the best way to have security.

"But", you say, "the HTML parser might have a bug as well. Stop using a browser!". But this completely limits the usefulness of the browser, and well, at least they are not full blown programs, and they cannot make things interact in ways not intended, unlike JS.
Moonchild wrote:JS in page content is running in fully isolated compartments
That didn't prevent things like this happening.
Moonchild wrote: If you can point me to a current, exploitable JS vulnerability that breaks out of these compartments or does something totally untoward with data it shouldn't have access to, then I (and everyone at Mozilla security) would be extremely interested to know the details.
Maybe I'm correct in interpreting this as: "If you are a security researcher, find a vulnerability, otherwise STFU!"
Just because people are not security researchers doesn't make their points invalid, you know.
Moonchild wrote:In fact, if you find one and report it to Mozilla, you may even be eligible for a "bounty" for reporting it, if it's an actual exploit.
I'm not a security researcher, but I'm told that the money they pay is simply not worth it. PWN2OWN and similar ones are difficult but certainly pay a little more.

/soapbox

Anyway, it'd be nice to have granular controls for JS and images (exposed in the Settings dialog). "Shooting themselves in the foot" is, OTOH, not a solid argument, since it is easy to add a dialog to warn people.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35481
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Restore option to disable Javascript

Unread post by Moonchild » 2014-04-15, 08:55

Drawing on an "exploit" that isn't an exploit but rather a limitation, from about a year ago, with Firefox being used in a non-standard environment for a purpose it was never specifically designed for (it's not designed to be anonymous to the web), is hardly something you can use as an example of "JavaScript is insecure".

Also, "shooting yourself in the foot" is not a "Mozilla expression". It's a common expression and very applicable here, as you will be "limping along" on the web after you disable JS.

If you want to be paranoid, that's fine. Use extensions for your peace of mind. I'm not going to change my decision on JS because I have seen no evidence that it is a risk, and plenty of evidence that it is an absolute essential part of today's Internet. If you're not a security researcher, then why can't you take my word for it? I do, after all, have a thorough understanding of both the code involved and computer&business security.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

dark_moon

Re: Restore option to disable Javascript

Unread post by dark_moon » 2014-04-15, 09:41

Everyone can disable javascript in about:config with javascript.enabled set to false.
And the pale moon commander addon have this settings too if i remember correct.

Anyway allow/ forbid javascript for every site at page permissions take a lot of time.
Better is then use a addon, like NoScript.

access2godzilla

Re: Restore option to disable Javascript

Unread post by access2godzilla » 2014-04-15, 10:10

it's not designed to be anonymous to the web
I'm not sure what you're trying to mean -- it's just stock FF ESR with the Torbutton addon. The exploit was only weaponised to work with v17, but remove the conditional statements, and it works till v22.
I have seen no evidence that it is a risk, and plenty of evidence that it is an absolute essential part of today's Internet.
JS is essential and no one's debating it. (Otherwise I'd have requested for yanking off JS from the browser itself.) But there needs to be some controls built into the browser itself. Even Chrome, known to have less customisability than FF has granular controls for JS and images.

And, as I stated my previous post, JS can act maliciously without having to exploit vulnerabilities in the browser.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35481
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Restore option to disable Javascript

Unread post by Moonchild » 2014-04-15, 10:37

access2godzilla wrote:
it's not designed to be anonymous to the web
I'm not sure what you're trying to mean -- it's just stock FF ESR with the Torbutton addon.
This is exactly my point.
It's a general-use browser and not specifically designed to be anonymous to the web.
That is not JS's fault. It's not FF or PM's fault. It's the tor people having a naive approach to marketing an "anonymous browser".

And "acting maliciously" is very subjective. The only thing that matters in terms of scripting being written with malicious intent is if that scripting can actually get anywhere. That is the only thing that matters.
And I dare say that you can try your best to write malicious JS code, and join the ranks of the many who try this every day and fail to get anywhere.

If you want granularity, use an extension that gives you this granularity and choose among different extensions that give different levels of granularity to find the one that suits you most. Which, by the way, is another reason to keep this external: who am I to determine what level of granularity people need? You choose.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

opera1215b1748

Re: Restore option to disable Javascript

Unread post by opera1215b1748 » 2014-04-15, 11:14

We do not trust extension writers, we trust you, who...
Moonchild wrote:after all, have a thorough understanding of both the code involved and computer&business security.
That's why we use PM in the first place.

Still, the statement "JS cannot be used maliciously" is false. All JAVA/Flash/iFrame issues depend on JS availability in the browser.
dark_moon wrote:allow/ forbid javascript for every site at page permissions take a lot of time
It depends on the quality of the UI. In the someotherbrowser it is 2 (two) clicks/keystrokes away.

a2g is right, we need a layered approach to security. Disabling the unnecessary (on a particular site) features is one of the layers.

PS
Could not find (Options&Advanced Options) where to disable the iFrames handling.

access2godzilla

Re: Restore option to disable Javascript

Unread post by access2godzilla » 2014-04-15, 11:35

Moonchild wrote:That is not JS's fault. It's not FF or PM's fault. It's the tor people having a naive approach to marketing an "anonymous browser".
It is indeed a JS exploit. (Please read the articles!) Mozilla removed the code from their own pastebin, so here it is: http://pastebin.com/n3xAmrwu (note that the annotated conclusion about a "final malware binary" is incorrect) and here's the disassembly of the shellcode: http://tsyrklevich.net/tbb_payload.txt
who am I to determine what level of granularity people need? You choose.
Of course, finer controls are best left to extensions, but at least restore the checkbox, if options for JS page permissions isn't an option. (Maybe with a warning dialog, since you're so insistent that people will "shoot themselves in the foot".)

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35481
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Restore option to disable Javascript

Unread post by Moonchild » 2014-04-15, 11:46

You both miss the point. I'm not wasting any more time on this, sorry.

Opera: JAVA/Flash/iframe malwares do not need JS to "do their thing".
A2G: Tor - once again, it's not an exploit. It's expecting Firefox code to do something it was not designed for.
Also, if you are so hellbent on your checkbox, https://addons.mozilla.org/en-US/firefo ... ty/?src=ss
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

access2godzilla

Re: Restore option to disable Javascript

Unread post by access2godzilla » 2014-04-15, 12:17

Well, Moonchild, it's your browser; I still think it should be integrated into Pale Moon.
Moonchild wrote:Tor - once again, it's not an exploit.
Please explain why it's not, especially if it gets its own MFSA: https://www.mozilla.org/security/announ ... 13-53.html

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35481
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Restore option to disable Javascript

Unread post by Moonchild » 2014-04-15, 12:57

I'm probably wasting my breath, but hey, maybe you'll understand.
Security researcher Nils reported that specially crafted web content using the onreadystatechange event and reloading of pages could sometimes cause a crash when unmapped memory is executed. This crash is potentially exploitable.
  1. Has nothing to do with TOR. This applies to any situation where all of the prerequisites are met.
  2. "Could sometimes cause a crash" and only in very specific situation "when pages are reloaded" and "when unmapped memory is executed" Lots of IFs and not something that would happen very often.
  3. It is potentially exploitable. Theoretically. Because it deals with executing unmapped memory that could have potentially malicious code injected in it before this execution happens. Do you have any idea how difficult it is to exploit this kind of potential vulnerability, if it is practically possible to begin with?
  4. I'm not saying JS is perfect. But you saying that "JS is bad" just because of a flaw in its implementation (that was found and patched) that could lead to a potential vulnerability is just wrong. By that reasoning, you shouldn't be using any software because software is not going to be bug-free. More vulnerabilities will be found in different parts of the browser, and those will likely have a percentage that is "potentially exploitable". That doesn't mean they are being exploited or can be exploited in practice to do something malicious, either.
  5. You are talking about something that was patched in FF22.0 (and which was also back-ported to Pale Moon's 20.* branch). Something that was found and fixed a year ago. Now, if it would go unpatched for a long time and be actively exploited "in the wild" then that would be a different story (and a reason to temporarily disable JS until a patched version of the browser would be published). But it's not. So what's the big deal? It was a bug, it got fixed. Not the first, not the last.
If this is reason for you to cripple your software "just in case there is another potential vulnerability", then be my guest. I'm not going to cater to that kind of fear, and I'm not going to put an option into the browser by default that caters to it and will very likely be used by users who do not understand the implications of it and who go by "having heard that having JS enabled is bad" (a misconception perpetuated by finding posts like yours in this thread).
It's something that should only be done by people who know full well what the implications are, what the pitfalls are, and how to deal with broken sites as a result: a (very) small percentage of power users, which by definition puts it into the realm of extensions.

Have a little faith in Pale Moon's implementation and security. If you can't, then I'm surprised you're actually maintaining PM4Linux.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

opera1215b1748

Re: Restore option to disable Javascript

Unread post by opera1215b1748 » 2014-04-15, 13:18

Moonchild wrote:...But you saying that "JS is bad"...
Never ever did we (either of us) say that!

access2godzilla

Re: Restore option to disable Javascript

Unread post by access2godzilla » 2014-04-15, 14:12

@Moonchild,
It makes sense now. And I do have faith in the security of the PM codebase :)

@opera
Noscript might be what you're looking for (it's developed by a well known security researcher who is IIRC a member of the Mozilla security team.)

Sarris

Re: Restore option to disable Javascript

Unread post by Sarris » 2014-04-15, 15:54

I've been using Noscript since it hit the Moz add-on site. It works quite well, in fact TOO well in some instances and sometimes can be kind of a PIA.

However, if you use it judiciously, you can block most if not all advertisement and tracking scripts.

Upon installation, it will block a lot of the wanted content as well, so you have to set up your exceptions.

That being said, it works flawlessly, and as far as I an concerned, it's a keeper. :thumbup:

Regards;

Sarris

dark_moon

Re: Restore option to disable Javascript

Unread post by dark_moon » 2014-04-15, 16:23

Yeah i use NoScript for years now and it works great. Can't live without it!

Locked