搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

Is turning off iFrames via about:config > browser.frames.enabled;false broken in Firefox 23?

  • 2 个回答
  • 15 人有此问题
  • 7 次查看
  • 最后回复者为 blurker

more options

I noticed that Firefox with version 23 removed option to turn OFF JavaScriipt from Tools > Options > Content menu http://www.extremetech.com/computing/163291-firefox-23-finally-kills-the-blink-tag-removes-ability-to-turn-off-javascript-introduces-new-logo

Recent events when allegedly FBI used JavaScript in iframe to exploit bug in Firefox with intentions to uncover identity of users of TOR network encouraged me to play with security settings a bit. More about how FBI exploited Firefox bug to execute malitious JavaScript on users computers: https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html More biased articles can be found in popular media articles. Just google "TOR exploit FBI"

ISSUE:

Symptoms: I noticed that turning iFrames OFF in about:config > browser.frames.enabled;false seems to not be working as expected. Iframes are still shown and JavaScript in them is executed. Doesnt work even after resterting Firefox.

Testing: I used this pages to test iFrames: •https://sites.google.com/site/annuairevin/test-pagehttp://www.w3schools.com/tags/tryit.asp?filename=tryhtml_iframehttp://www.quirksmode.org/iframetest.html

After I turned browser.frames.enabled OFF and restarted I noticed that iFrames are still shown on all 3 pages and JavaScript in them would be executed.

By blocking IFRAMES with NoScript blocking turned ON (you have to turn forbidding IFRAMES on manually in options http://i.imgur.com/7jctoTW.png) I managed to block IFRAMES on google and w3school pages.

!!!Text in iframe "Test page in iframe" on quirksmode test page was still shown even after I have frames turned OFF in about:config and I block all scripts and frames and iframes with NoScript.

If I open same page (http://www.quirksmode.org/iframetest.html) with Opera with iFrames blocked in Preferences, iFrame is not shown at all, browser doesnt even render empty square; but JavaScript in it is executed, if you dont disable JavaScript in Preferences > Advanced. I didnt test Chrome at all.


Possible things that can cause bug: •I am using NoScript 2.6.7, I turned it off and on but it is possible that it is overriding Firefox settings in about:config. when you serach about:config for "frames" there are many settings mentioning frames from NoScript and AdBlockPlus. •AdBlock Plus 2.3.2? Same reason as NoScript. •Fot the first time I noticed Shield in the address bar with "Firefox has blocked content that isnt secure" bubble. http://i.imgur.com/K4FL65n.png. I dont know how long this feature is implemented or what exactly it does, here are some details: https://support.mozilla.org/en-US/kb/how-does-content-isnt-secure-affect-my-safety?as=u&utm_source=inproduct


P.S. Just small remark. If that is true: "Finally, Firefox 23 removes the option to disable JavaScript from the Options pane — and if you had JavaScript turned off, it has been turned back on." There should be some warning when Firefox is updated that JS was turned ON. I think that for me FF updated silently without any messages. OR maybe I blatantly closed some windows, i dont remember well.

I noticed that Firefox with version 23 removed option to turn OFF JavaScriipt from Tools > Options > Content menu http://www.extremetech.com/computing/163291-firefox-23-finally-kills-the-blink-tag-removes-ability-to-turn-off-javascript-introduces-new-logo Recent events when allegedly FBI used JavaScript in iframe to exploit bug in Firefox with intentions to uncover identity of users of TOR network encouraged me to play with security settings a bit. More about how FBI exploited Firefox bug to execute malitious JavaScript on users computers: https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html More biased articles can be found in popular media articles. Just google "TOR exploit FBI" ISSUE: Symptoms: I noticed that turning iFrames OFF in about:config > browser.frames.enabled;false seems to not be working as expected. Iframes are still shown and JavaScript in them is executed. Doesnt work even after resterting Firefox. Testing: I used this pages to test iFrames: •https://sites.google.com/site/annuairevin/test-page •http://www.w3schools.com/tags/tryit.asp?filename=tryhtml_iframe •http://www.quirksmode.org/iframetest.html After I turned browser.frames.enabled OFF and restarted I noticed that iFrames are still shown on all 3 pages and JavaScript in them would be executed. By blocking IFRAMES with NoScript blocking turned ON (you have to turn forbidding IFRAMES on manually in options http://i.imgur.com/7jctoTW.png) I managed to block IFRAMES on google and w3school pages. !!!Text in iframe "Test page in iframe" on quirksmode test page was still shown even after I have frames turned OFF in about:config and I block all scripts and frames and iframes with NoScript. If I open same page (http://www.quirksmode.org/iframetest.html) with Opera with iFrames blocked in Preferences, iFrame is not shown at all, browser doesnt even render empty square; but JavaScript in it is executed, if you dont disable JavaScript in Preferences > Advanced. I didnt test Chrome at all. Possible things that can cause bug: •I am using NoScript 2.6.7, I turned it off and on but it is possible that it is overriding Firefox settings in about:config. when you serach about:config for "frames" there are many settings mentioning frames from NoScript and AdBlockPlus. •AdBlock Plus 2.3.2? Same reason as NoScript. •Fot the first time I noticed Shield in the address bar with "Firefox has blocked content that isnt secure" bubble. http://i.imgur.com/K4FL65n.png. I dont know how long this feature is implemented or what exactly it does, here are some details: https://support.mozilla.org/en-US/kb/how-does-content-isnt-secure-affect-my-safety?as=u&utm_source=inproduct P.S. Just small remark. If that is true: "Finally, Firefox 23 removes the option to disable JavaScript from the Options pane — and if you had JavaScript turned off, it has been turned back on." There should be some warning when Firefox is updated that JS was turned ON. I think that for me FF updated silently without any messages. OR maybe I blatantly closed some windows, i dont remember well.

所有回复 (2)

more options

The documentation I find on browser.frames.enabled is very vague, but I can't see that it does anything currently. Is this a feature you used successfully in an earlier version?

The Mixed [Active] Content Blocker was turned on by default in Firefox 23. That would explain the shield icon. Not sure whether implementing that might have changed how iframes are handled.

more options

Thx. I dont know if that feature was working in any time during development. I just found suggestions on google that this is the way to turn off iFrames in Firefox. I didnt see anybody complaining it doesnt work, but also no conformations that is works.