Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Is turning off iFrames via about:config > browser.frames.enabled;false broken in Firefox 23?

  • 2 odgovori
  • 15 ima ovaj problem
  • 7 views
  • Posljednji odgovor poslao blurker

more options

I noticed that Firefox with version 23 removed option to turn OFF JavaScriipt from Tools > Options > Content menu http://www.extremetech.com/computing/163291-firefox-23-finally-kills-the-blink-tag-removes-ability-to-turn-off-javascript-introduces-new-logo

Recent events when allegedly FBI used JavaScript in iframe to exploit bug in Firefox with intentions to uncover identity of users of TOR network encouraged me to play with security settings a bit. More about how FBI exploited Firefox bug to execute malitious JavaScript on users computers: https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html More biased articles can be found in popular media articles. Just google "TOR exploit FBI"

ISSUE:

Symptoms: I noticed that turning iFrames OFF in about:config > browser.frames.enabled;false seems to not be working as expected. Iframes are still shown and JavaScript in them is executed. Doesnt work even after resterting Firefox.

Testing: I used this pages to test iFrames: •https://sites.google.com/site/annuairevin/test-pagehttp://www.w3schools.com/tags/tryit.asp?filename=tryhtml_iframehttp://www.quirksmode.org/iframetest.html

After I turned browser.frames.enabled OFF and restarted I noticed that iFrames are still shown on all 3 pages and JavaScript in them would be executed.

By blocking IFRAMES with NoScript blocking turned ON (you have to turn forbidding IFRAMES on manually in options http://i.imgur.com/7jctoTW.png) I managed to block IFRAMES on google and w3school pages.

!!!Text in iframe "Test page in iframe" on quirksmode test page was still shown even after I have frames turned OFF in about:config and I block all scripts and frames and iframes with NoScript.

If I open same page (http://www.quirksmode.org/iframetest.html) with Opera with iFrames blocked in Preferences, iFrame is not shown at all, browser doesnt even render empty square; but JavaScript in it is executed, if you dont disable JavaScript in Preferences > Advanced. I didnt test Chrome at all.


Possible things that can cause bug: •I am using NoScript 2.6.7, I turned it off and on but it is possible that it is overriding Firefox settings in about:config. when you serach about:config for "frames" there are many settings mentioning frames from NoScript and AdBlockPlus. •AdBlock Plus 2.3.2? Same reason as NoScript. •Fot the first time I noticed Shield in the address bar with "Firefox has blocked content that isnt secure" bubble. http://i.imgur.com/K4FL65n.png. I dont know how long this feature is implemented or what exactly it does, here are some details: https://support.mozilla.org/en-US/kb/how-does-content-isnt-secure-affect-my-safety?as=u&utm_source=inproduct


P.S. Just small remark. If that is true: "Finally, Firefox 23 removes the option to disable JavaScript from the Options pane — and if you had JavaScript turned off, it has been turned back on." There should be some warning when Firefox is updated that JS was turned ON. I think that for me FF updated silently without any messages. OR maybe I blatantly closed some windows, i dont remember well.

I noticed that Firefox with version 23 removed option to turn OFF JavaScriipt from Tools > Options > Content menu http://www.extremetech.com/computing/163291-firefox-23-finally-kills-the-blink-tag-removes-ability-to-turn-off-javascript-introduces-new-logo Recent events when allegedly FBI used JavaScript in iframe to exploit bug in Firefox with intentions to uncover identity of users of TOR network encouraged me to play with security settings a bit. More about how FBI exploited Firefox bug to execute malitious JavaScript on users computers: https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html More biased articles can be found in popular media articles. Just google "TOR exploit FBI" ISSUE: Symptoms: I noticed that turning iFrames OFF in about:config > browser.frames.enabled;false seems to not be working as expected. Iframes are still shown and JavaScript in them is executed. Doesnt work even after resterting Firefox. Testing: I used this pages to test iFrames: •https://sites.google.com/site/annuairevin/test-page •http://www.w3schools.com/tags/tryit.asp?filename=tryhtml_iframe •http://www.quirksmode.org/iframetest.html After I turned browser.frames.enabled OFF and restarted I noticed that iFrames are still shown on all 3 pages and JavaScript in them would be executed. By blocking IFRAMES with NoScript blocking turned ON (you have to turn forbidding IFRAMES on manually in options http://i.imgur.com/7jctoTW.png) I managed to block IFRAMES on google and w3school pages. !!!Text in iframe "Test page in iframe" on quirksmode test page was still shown even after I have frames turned OFF in about:config and I block all scripts and frames and iframes with NoScript. If I open same page (http://www.quirksmode.org/iframetest.html) with Opera with iFrames blocked in Preferences, iFrame is not shown at all, browser doesnt even render empty square; but JavaScript in it is executed, if you dont disable JavaScript in Preferences > Advanced. I didnt test Chrome at all. Possible things that can cause bug: •I am using NoScript 2.6.7, I turned it off and on but it is possible that it is overriding Firefox settings in about:config. when you serach about:config for "frames" there are many settings mentioning frames from NoScript and AdBlockPlus. •AdBlock Plus 2.3.2? Same reason as NoScript. •Fot the first time I noticed Shield in the address bar with "Firefox has blocked content that isnt secure" bubble. http://i.imgur.com/K4FL65n.png. I dont know how long this feature is implemented or what exactly it does, here are some details: https://support.mozilla.org/en-US/kb/how-does-content-isnt-secure-affect-my-safety?as=u&utm_source=inproduct P.S. Just small remark. If that is true: "Finally, Firefox 23 removes the option to disable JavaScript from the Options pane — and if you had JavaScript turned off, it has been turned back on." There should be some warning when Firefox is updated that JS was turned ON. I think that for me FF updated silently without any messages. OR maybe I blatantly closed some windows, i dont remember well.

All Replies (2)

more options

The documentation I find on browser.frames.enabled is very vague, but I can't see that it does anything currently. Is this a feature you used successfully in an earlier version?

The Mixed [Active] Content Blocker was turned on by default in Firefox 23. That would explain the shield icon. Not sure whether implementing that might have changed how iframes are handled.

more options

Thx. I dont know if that feature was working in any time during development. I just found suggestions on google that this is the way to turn off iFrames in Firefox. I didnt see anybody complaining it doesnt work, but also no conformations that is works.