Executing Scripts Embedded in HTML Emails - Mozilla

This is a discussion on Executing Scripts Embedded in HTML Emails - Mozilla ; BJ on 10/8/2008 12:43 PM, keyboarded a reply: > Ron K. wrote: >> BJ on 10/8/2008 12:09 AM, keyboarded a reply: >>> Pete Holsberg wrote: >>>> Terry R. has written on 10/7/2008 8:34 PM: >>>>> The date and time was ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 38 of 38

Thread: Executing Scripts Embedded in HTML Emails

  1. Re: Executing Scripts Embedded in HTML Emails

    BJ on 10/8/2008 12:43 PM, keyboarded a reply:
    > Ron K. wrote:
    >> BJ on 10/8/2008 12:09 AM, keyboarded a reply:
    >>> Pete Holsberg wrote:
    >>>> Terry R. has written on 10/7/2008 8:34 PM:
    >>>>> The date and time was 10/7/2008 5:26 PM, and on a whim, Pete
    >>>>> Holsberg pounded out on the keyboard:
    >>>>>
    >>>>>
    >>>>>> BJ has written on 10/7/2008 7:18 PM:
    >>>>>>
    >>>>>>> Ron K. wrote:
    >>>>>>>
    >>>>>>>> Pete Holsberg on 10/7/2008 4:45 PM, keyboarded a reply:
    >>>>>>>>
    >>>>>>>>> Will TB execute scripts that are embedded in HTML emails
    >>>>>>>>>
    >>>>>>>> It can. However a recent discovery found that Tb is at high risk
    >>>>>>>> to JS exploits. Unless a solution plan can be devised, future
    >>>>>>>> releases will loose JS functionality in the message pane.
    >>>>>>>> Therefor, I strongly recommend not activating JS.
    >>>>>>> The MZ KB says "JavaScript is disabled by default for the "Mail &
    >>>>>>> Newsgroups" component , for security reasons"
    >>>>>>>
    >>>
    >>>
    >>>

    >>
    >> The javascript.allow.mailnews set to false is what stops JS embedded
    >> in messages from being processed.
    >>
    >> This javascript.options.showInConsole permits detected JS errors to be
    >> displayed in the error console. That is an aid to bug reporting and
    >> the Tools menu is where You can launch the dialog. It will also list
    >> style errors in the Warnings tab.
    >>
    >>
    >>

    > Got it. So I don't need to toggle anything . . . just leave it the way
    > it is.
    >


    Right.

    --
    Ron K.
    Who is General Failure, and why is he searching my HDD?
    Kernel Restore reported Major Error used BSOD to msg the enemy!

  2. Re: Executing Scripts Embedded in HTML Emails

    BJ on 10/8/2008 12:52 PM, keyboarded a reply:
    > Pete Holsberg wrote:
    >> Ron K. has written on 10/8/2008 1:02 AM:
    >>> BJ on 10/8/2008 12:09 AM, keyboarded a reply:
    >>>
    >>>>
    >>>> OK . . . I have several listings, all default, in my TB about:config
    >>>> for
    >>>> java and javascript.
    >>>>
    >>>> The first is javascript.allow.mailnews and it's set to false.
    >>>>
    >>>> The second is javascript.enabled and that's set to true.
    >>>>
    >>>> The next is javascript.options.showInConsole and that's set to true.
    >>>>
    >>>> The next is javascript.options.strict and that's set to false.
    >>>>
    >>>> Then I have security.enable_java and that's set to true.
    >>>>
    >>>> From what I can gather from the KB's, there's three that don't really
    >>>> apply to disabling javascript embedded in emails:
    >>>>
    >>>> 1. javascript.options.showInConsole
    >>>>
    >>>> 2. javascript.options.strict
    >>>>
    >>>> 3. security.enable_java.
    >>>>
    >>>> But the KB's are not really clear about javascript.allow.mailnews and
    >>>> javascript.enabled. And what's more confusing to me is that while
    >>>> javascript.allow.mailnews is set to false, javascript.enabled is set to
    >>>> true. Intuitively it would seem that javascript.enabled would
    >>>> determine
    >>>> enabling/disabling and I should toggle that false.
    >>>>
    >>>> But then a lot of these things are anything BUT intuitive.
    >>>>
    >>>> So, before I toggle the wrong one and maybe mess things up, I thought
    >>>> I'd ask for some guidance here.
    >>>>
    >>>> And the reason I brought up security.enable_java is that a poster here
    >>>> mentioned it in this thread. That confused me even more.
    >>>>
    >>>> And they are all default settings, and since a poster here said "It's
    >>>> not disabled by default in TB.", I'm REALLY confused.
    >>>>
    >>>> So which one should I toggle to disable embedded javascript in emails
    >>>> and newsgroups, or are my settings OK and should I just leave things
    >>>> alone??
    >>>>
    >>>
    >>> The javascript.allow.mailnews set to false is what stops JS embedded
    >>> in messages from being processed.
    >>>

    >>
    >> That's what it says at
    >> http://preferential.mozdev.org/preferences.html. However, where else
    >> would javascript be executed? And why is there a javascript.enabled,
    >> true by default? I set it to false. MAybe belt and suspenders, but ...
    >>
    >>

    > Echo on the second question . . .


    Javascript is the language used by the Developers to build Mozilla
    products. Most of the scripts deal with the Chrome stuff. The entire
    Folder Pane is powered by JS to layout the Folder Tree and populate it.
    The same with the Thread Tree of the Thread Pane. There is more to the code
    of the trees, but simply, JS is what fills in the structure created by XUL
    and applies the glue of key bindings.

    --
    Ron K.
    Who is General Failure, and why is he searching my HDD?
    Kernel Restore reported Major Error used BSOD to msg the enemy!

  3. Re: Executing Scripts Embedded in HTML Emails

    XS11E has written on 10/8/2008 1:11 PM:
    > My config editor shows javascript is set to "false" by default so
    > there's no need to look for it, is there, unless the OP has previously
    > edited the config settings.
    >


    Every javascript entry is "false", or just the "mailnews" one?

    In any case, it would behoove anyone to look and be sure.

  4. Re: Executing Scripts Embedded in HTML Emails

    BJ has written on 10/8/2008 12:52 PM:
    > Pete Holsberg wrote:
    >
    >>
    >> That's what it says at http://preferential.mozdev.org/preferences.html.
    >> However, where else would javascript be executed? And why is there a
    >> javascript.enabled, true by default? I set it to false. May be belt and
    >> suspenders, but ..

    > Echo on the second question . . .
    >


    "Ditto" maybe???



  5. Re: Executing Scripts Embedded in HTML Emails

    Ron K. wrote:
    > BJ on 10/8/2008 12:43 PM, keyboarded a reply:
    >> Ron K. wrote:
    >>> BJ on 10/8/2008 12:09 AM, keyboarded a reply:
    >>>> Pete Holsberg wrote:
    >>>>> Terry R. has written on 10/7/2008 8:34 PM:
    >>>>>> The date and time was 10/7/2008 5:26 PM, and on a whim, Pete
    >>>>>> Holsberg pounded out on the keyboard:
    >>>>>>
    >>>>>>
    >>>>>>> BJ has written on 10/7/2008 7:18 PM:
    >>>>>>>
    >>>>>>>> Ron K. wrote:
    >>>>>>>>
    >>>>>>>>> Pete Holsberg on 10/7/2008 4:45 PM, keyboarded a reply:
    >>>>>>>>>
    >>>>>>>>>> Will TB execute scripts that are embedded in HTML emails
    >>>>>>>>>>
    >>>>>>>>> It can. However a recent discovery found that Tb is at high
    >>>>>>>>> risk to JS exploits. Unless a solution plan can be devised,
    >>>>>>>>> future releases will loose JS functionality in the message
    >>>>>>>>> pane. Therefor, I strongly recommend not activating JS.
    >>>>>>>> The MZ KB says "JavaScript is disabled by default for the "Mail &
    >>>>>>>> Newsgroups" component , for security reasons"
    >>>>>>>>
    >>>>
    >>>>
    >>>>
    >>>
    >>> The javascript.allow.mailnews set to false is what stops JS embedded
    >>> in messages from being processed.
    >>>
    >>> This javascript.options.showInConsole permits detected JS errors to
    >>> be displayed in the error console. That is an aid to bug reporting
    >>> and the Tools menu is where You can launch the dialog. It will also
    >>> list style errors in the Warnings tab.
    >>>
    >>>
    >>>

    >> Got it. So I don't need to toggle anything . . . just leave it the
    >> way it is.
    >>

    >
    > Right.
    >

    Thanks, BTW.

    --
    Anti-spam measures are included in my email address.
    Delete all the NOSPAMs from the email address after clicking Reply.

  6. Re: Executing Scripts Embedded in HTML Emails

    Pete Holsberg wrote:

    > XS11E has written on 10/8/2008 1:11 PM:
    >> My config editor shows javascript is set to "false" by default so
    >> there's no need to look for it, is there, unless the OP has
    >> previously edited the config settings.
    >>

    >
    > Every javascript entry is "false", or just the "mailnews" one?


    Not every entry, these are false:
    javascript.allow.mailnews
    javascript.options.strict
    network.protocol-handler.external.javascript

    These are true:
    javascript.enabled
    javascript.options.showInConsole
    security.enable_java

    Those are the default settings in my version and should prevent the
    potential problem being discussed.

    > In any case, it would behoove anyone to look and be sure.


    Very good idea but I can't imagine anyone having other than the default
    settings w/o having set manually?



    --
    XS11E, Killing all posts from Google Groups
    The Usenet Improvement Project:
    http://improve-usenet.org

  7. Re: Executing Scripts Embedded in HTML Emails

    XS11E on 10/8/2008 5:35 PM, keyboarded a reply:
    > Pete Holsberg wrote:
    >
    >> XS11E has written on 10/8/2008 1:11 PM:
    >>> My config editor shows javascript is set to "false" by default so
    >>> there's no need to look for it, is there, unless the OP has
    >>> previously edited the config settings.
    >>>

    >> Every javascript entry is "false", or just the "mailnews" one?

    >
    > Not every entry, these are false:
    > javascript.allow.mailnews
    > javascript.options.strict
    > network.protocol-handler.external.javascript
    >
    > These are true:
    > javascript.enabled
    > javascript.options.showInConsole
    > security.enable_java
    >
    > Those are the default settings in my version and should prevent the
    > potential problem being discussed.
    >
    >> In any case, it would behoove anyone to look and be sure.

    >
    > Very good idea but I can't imagine anyone having other than the default
    > settings w/o having set manually?
    >
    >
    >


    Earlier in the development of Tb there had been a UI to enable JSD use in
    MailNews. It was removed from Tb 2 and defaulted to false. So anyone
    migrating from Tb 1.5 to Tb 2.0 was also carrying forward the prior JS
    settings.

    --
    Ron K.
    Who is General Failure, and why is he searching my HDD?
    Kernel Restore reported Major Error used BSOD to msg the enemy!

  8. Re: Executing Scripts Embedded in HTML Emails

    "Ron K." wrote:

    > XS11E on 10/8/2008 5:35 PM, keyboarded a reply:
    >> Very good idea but I can't imagine anyone having other than the
    >> default settings w/o having set manually?

    >
    > Earlier in the development of Tb there had been a UI to enable JSD
    > use in MailNews. It was removed from Tb 2 and defaulted to false.
    > So anyone migrating from Tb 1.5 to Tb 2.0 was also carrying
    > forward the prior JS settings.


    Interesting, moving to 2.0 didn't overwrite?


    --
    XS11E, Killing all posts from Google Groups
    The Usenet Improvement Project:
    http://improve-usenet.org

  9. Re: Executing Scripts Embedded in HTML Emails

    XS11E on 10/8/2008 6:35 PM, keyboarded a reply:
    > "Ron K." wrote:
    >
    >> XS11E on 10/8/2008 5:35 PM, keyboarded a reply:
    >>> Very good idea but I can't imagine anyone having other than the
    >>> default settings w/o having set manually?

    >> Earlier in the development of Tb there had been a UI to enable JSD
    >> use in MailNews. It was removed from Tb 2 and defaulted to false.
    >> So anyone migrating from Tb 1.5 to Tb 2.0 was also carrying
    >> forward the prior JS settings.

    >
    > Interesting, moving to 2.0 didn't overwrite?
    >
    >


    Profiles are not touched when the program is Updated or Upgraded unless a
    new feature needs a file added that is specific to the feature. Thus the
    Prefs.js is left alone. Even if the defaults in the all.js are changed, the
    loadup sequence is such that Prefs.js settings will over ride those of the
    default.

    In the case of JS the developers do have the power to make a change in the
    binary code to prevent the User setting in Prefs.js from being honored.

    --
    Ron K.
    Who is General Failure, and why is he searching my HDD?
    Kernel Restore reported Major Error used BSOD to msg the enemy!

  10. Re: Executing Scripts Embedded in HTML Emails

    Ron K. wrote:
    >
    > Javascript is the language used by the Developers to build Mozilla
    > products. Most of the scripts deal with the Chrome stuff. The entire
    > Folder Pane is powered by JS to layout the Folder Tree and populate it.
    > The same with the Thread Tree of the Thread Pane. There is more to the code
    > of the trees, but simply, JS is what fills in the structure created by XUL
    > and applies the glue of key bindings


    So will I be disabling a lot of TB functionality if I set
    javascript.enabled to "false"?

    (What is XUL?)

  11. Re: Executing Scripts Embedded in HTML Emails

    *-* On Wed, 08 Oct 2008, at 17:50:51 -0400,
    *-* In Article XeWdnZdhOvyBtnDVnZ2dnUVZ_qvinZ2d@mozilla.org,
    *-* Ron K. wrote
    *-* About Re: Executing Scripts Embedded in HTML Emails

    > XS11E on 10/8/2008 5:35 PM, keyboarded a reply:
    >> Pete Holsberg wrote:


    >>> XS11E has written on 10/8/2008 1:11 PM:
    >>>> My config editor shows javascript is set to "false" by default so
    >>>> there's no need to look for it, is there, unless the OP has
    >>>> previously edited the config settings.


    >>> Every javascript entry is "false", or just the "mailnews" one?


    >> Not every entry, these are false:
    >> javascript.allow.mailnews
    >> javascript.options.strict
    >> network.protocol-handler.external.javascript


    >> These are true:
    >> javascript.enabled
    >> javascript.options.showInConsole
    >> security.enable_java


    >> Those are the default settings in my version and should prevent the
    >> potential problem being discussed.


    >>> In any case, it would behoove anyone to look and be sure.


    >> Very good idea but I can't imagine anyone having other than the
    >> default settings w/o having set manually?


    > Earlier in the development of Tb there had been a UI to enable JSD
    > use in MailNews. It was removed from Tb 2 and defaulted to false. So
    > anyone migrating from Tb 1.5 to Tb 2.0 was also carrying forward the
    > prior JS settings.


    That shouldn't be a problem, as the default was also false in the
    earlier (UI-containing) versions, or at least it is in my TB 1.5.

    Ken Whiton

    FIDO: 1:132/152
    InterNet: kenwhiton@surfglobal.net.INVAL (remove the obvious to reply)

  12. Re: Executing Scripts Embedded in HTML Emails

    BJ wrote:
    >> That's what it says at
    >> http://preferential.mozdev.org/preferences.html. However, where else
    >> would javascript be executed? And why is there a javascript.enabled,
    >> true by default? I set it to false. MAybe belt and suspenders, but ...

    > Echo on the second question . . .

    Two reasons as far as I can see. First, unlike people who want things to
    be configured brain dead out of the box, the vast majority of people do
    not think like you. Secondly, the chances of bad things happening to you
    from a JavaScript exploit in email, contrary to popular FUD, are very low.
    --
    Andrew DeFaria
    I put instant coffee in my microwave oven and almost went back in time.


  13. Re: Executing Scripts Embedded in HTML Emails

    Pete Holsberg on 10/8/2008 11:19 PM, keyboarded a reply:
    > Ron K. wrote:
    >>
    >> Javascript is the language used by the Developers to build Mozilla
    >> products. Most of the scripts deal with the Chrome stuff. The entire
    >> Folder Pane is powered by JS to layout the Folder Tree and populate
    >> it. The same with the Thread Tree of the Thread Pane. There is more to
    >> the code of the trees, but simply, JS is what fills in the structure
    >> created by XUL and applies the glue of key bindings

    >
    > So will I be disabling a lot of TB functionality if I set
    > javascript.enabled to "false"?
    >
    > (What is XUL?)


    XUL (eXtensible User-interface Language) is what the developers use to do
    all the stuff you see on the screen. It has some component technologies
    including Javascript, eXtensible Binding Language, and Cascading Style Sheets.

    Personally I do not know if switching off javascript.enabled will kill the
    GUI. Never tried it, and am not interested in breaking Tb or Fx to find out.

    A side point. There are items listed in the Config Edit window that are
    not used by Tb. The files providing the visible defaults were cloned from
    the Mozilla Suite project. The last I remember reading an audit of those
    files being done was before Tb reached the 1.0 release.

    --
    Ron K.
    Who is General Failure, and why is he searching my HDD?
    Kernel Restore reported Major Error used BSOD to msg the enemy!

  14. Re: Executing Scripts Embedded in HTML Emails

    Ken Whiton on 10/9/2008 12:50 AM, keyboarded a reply:
    > *-* On Wed, 08 Oct 2008, at 17:50:51 -0400,
    > *-* In Article XeWdnZdhOvyBtnDVnZ2dnUVZ_qvinZ2d@mozilla.org,
    > *-* Ron K. wrote
    > *-* About Re: Executing Scripts Embedded in HTML Emails
    >
    >> XS11E on 10/8/2008 5:35 PM, keyboarded a reply:
    >>> Pete Holsberg wrote:

    >
    >>>> XS11E has written on 10/8/2008 1:11 PM:
    >>>>>

    >
    >>>>

    >> Earlier in the development of Tb there had been a UI to enable JSD
    >> use in MailNews. It was removed from Tb 2 and defaulted to false. So
    >> anyone migrating from Tb 1.5 to Tb 2.0 was also carrying forward the
    >> prior JS settings.

    >
    > That shouldn't be a problem, as the default was also false in the
    > earlier (UI-containing) versions, or at least it is in my TB 1.5.
    >
    > Ken Whiton


    Since My Tb 1.5 was set to "True" it carried forward to Tb 2.0. With the
    loss of the UI there was no longer a User ability to review there prior
    setting in the UI. The passage of time has resulted in new users being set
    false and less likely to dig into the prefs.js to toggle the value.

    The caution is directed to the old users and those thinking of doing the
    toggle.


    --
    Ron K.
    Who is General Failure, and why is he searching my HDD?
    Kernel Restore reported Major Error used BSOD to msg the enemy!

  15. Re: Executing Scripts Embedded in HTML Emails

    Andrew DeFaria has written on 10/9/2008 11:47 AM:
    > BJ wrote:
    >
    >>> That's what it says at
    >>> http://preferential.mozdev.org/preferences.html. However, where else
    >>> would javascript be executed? And why is there a javascript.enabled,
    >>> true by default? I set it to false. MAybe belt and suspenders, but ...
    >>>

    >> Echo on the second question . . .
    >>

    > Two reasons as far as I can see. First, unlike people who want things to
    > be configured brain dead out of the box, the vast majority of people do
    > not think like you. Secondly, the chances of bad things happening to you
    > from a JavaScript exploit in email, contrary to popular FUD, are very low.
    >


    If I set javascript.enabled to "false", what parts of TB will not work?

    Can you back up your last assertion?

  16. Re: Executing Scripts Embedded in HTML Emails

    Date: 10/9/2008 8:14 PM, Author: Pete Holsberg Wrote:
    > Andrew DeFaria has written on 10/9/2008 11:47 AM:
    >> BJ wrote:
    >>
    >>>> That's what it says at
    >>>> http://preferential.mozdev.org/preferences.html. However, where else
    >>>> would javascript be executed? And why is there a javascript.enabled,
    >>>> true by default? I set it to false. MAybe belt and suspenders, but ...
    >>>>
    >>> Echo on the second question . . .
    >>>

    >> Two reasons as far as I can see. First, unlike people who want things
    >> to be configured brain dead out of the box, the vast majority of
    >> people do not think like you. Secondly, the chances of bad things
    >> happening to you from a JavaScript exploit in email, contrary to
    >> popular FUD, are very low.
    >>

    >
    > If I set javascript.enabled to "false", what parts of TB will not work?
    >
    > Can you back up your last assertion?


    Disabling JavaScript will not affect _any_ Thunderbird function. All that will
    be lost are the JavaScript actions in HTML messages. Very few messages use
    JavaScript, you probably won't notice a difference. Effects like changing a
    button image when you mouseover or pop-out menus. Satisfactory similar effects
    can be achieved with HTML.

    As to Andrew's assertion, While some espouse the _potential_ threat from
    JavaScript, to my knowledge, none of the theoretical vulnerabilities have been
    employed as an actual attack on the internet.


    --
    G. R. Woodring

  17. Re: Executing Scripts Embedded in HTML Emails

    Pete Holsberg wrote:
    >> Two reasons as far as I can see. First, unlike people who want things
    >> to be configured brain dead out of the box, the vast majority of
    >> people do not think like you. Secondly, the chances of bad things
    >> happening to you from a JavaScript exploit in email, contrary to
    >> popular FUD, are very low.

    > If I set javascript.enabled to "false", what parts of TB will not work?

    Any part that wants to do a JavaScript thing.
    > Can you back up your last assertion?

    I don't need to back it up the assertion. The assertion was made that
    bad things would happen. Prove that first.
    --
    Andrew DeFaria
    If I only had a little humility, I'd be perfect. - Ted Turner


  18. Re: Executing Scripts Embedded in HTML Emails

    G. R. Woodring wrote:
    > As to Andrew's assertion, While some espouse the _potential_ threat
    > from JavaScript, to my knowledge, none of the theoretical
    > vulnerabilities have been employed as an actual attack on the internet.

    BINGO!
    --
    Andrew DeFaria
    You can't tell which way the train went by looking at the track.


+ Reply to Thread
Page 2 of 2 FirstFirst 1 2