Executing Scripts Embedded in HTML Emails - Mozilla

This is a discussion on Executing Scripts Embedded in HTML Emails - Mozilla ; Will TB execute scripts that are embedded in HTML emails? Thanks....

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 38

Thread: Executing Scripts Embedded in HTML Emails

  1. Executing Scripts Embedded in HTML Emails

    Will TB execute scripts that are embedded in HTML emails?

    Thanks.


  2. Re: Executing Scripts Embedded in HTML Emails

    Pete Holsberg on 10/7/2008 4:45 PM, keyboarded a reply:
    > Will TB execute scripts that are embedded in HTML emails?
    >
    > Thanks.
    >


    It can. However a recent discovery found that Tb is at high risk to JS
    exploits. Unless a solution plan can be devised, future releases will loose
    JS functionality in the message pane. Therefor, I strongly recommend not
    activating JS.

    --
    Ron K.
    Who is General Failure, and why is he searching my HDD?
    Kernel Restore reported Major Error used BSOD to msg the enemy!

  3. Re: Executing Scripts Embedded in HTML Emails

    Ron K. has written on 10/7/2008 4:53 PM:
    > Pete Holsberg on 10/7/2008 4:45 PM, keyboarded a reply:
    >
    >> Will TB execute scripts that are embedded in HTML emails?
    >>
    >> Thanks.
    >>

    >
    > It can. However a recent discovery found that Tb is at high risk to JS
    > exploits. Unless a solution plan can be devised, future releases will loose
    > JS functionality in the message pane. Therefor, I strongly recommend not
    > activating JS.
    >


    Do you mean this?

    "It was discovered that the same-origin check in Thunderbird could be
    bypassed. If a user had JavaScript enabled and were tricked into opening
    a malicious website, an attacker may be able to execute JavaScript in
    the context of a different website. (CVE-2008-3835) "


  4. Re: Executing Scripts Embedded in HTML Emails

    Ron K. wrote:
    > Pete Holsberg on 10/7/2008 4:45 PM, keyboarded a reply:
    >> Will TB execute scripts that are embedded in HTML emails?
    >>
    >> Thanks.
    >>

    >
    > It can. However a recent discovery found that Tb is at high risk to JS
    > exploits. Unless a solution plan can be devised, future releases will
    > loose JS functionality in the message pane. Therefor, I strongly
    > recommend not activating JS.
    >


    The MZ KB says "JavaScript is disabled by default for the "Mail &
    Newsgroups" component , for security reasons"

    Is this correct or incorrect?

    And I assume the JS setting is found only in FF and not in TB? (I'm new
    to both)

    I have NoScript in my FF. If I block or otherwise disable a script with
    it, does that also extend to TB? (Of course, I wouldn't need to worry
    about that if the KB is correct).

    TB 2.0.0.16

    FF 3.0.1

  5. Re: Executing Scripts Embedded in HTML Emails

    Ron K. has written on 10/7/2008 4:53 PM:
    > Pete Holsberg on 10/7/2008 4:45 PM, keyboarded a reply:
    >
    >> Will TB execute scripts that are embedded in HTML emails?
    >>
    >> Thanks.
    >>
    >>

    >
    > It can. However a recent discovery found that Tb is at high risk to JS
    > exploits. Unless a solution plan can be devised, future releases will loose
    > JS functionality in the message pane. Therefor, I strongly recommend not
    > activating JS.
    >


    Thanks. Is there a simplet way to do that other than tools > options >
    config editor and search for javascript?

  6. Re: Executing Scripts Embedded in HTML Emails

    Pete Holsberg on 10/7/2008 7:15 PM, keyboarded a reply:
    > Ron K. has written on 10/7/2008 4:53 PM:
    >> Pete Holsberg on 10/7/2008 4:45 PM, keyboarded a reply:
    >>
    >>> Will TB execute scripts that are embedded in HTML emails?
    >>>
    >>> Thanks.
    >>>

    >>
    >> It can. However a recent discovery found that Tb is at high risk to JS
    >> exploits. Unless a solution plan can be devised, future releases will
    >> loose JS functionality in the message pane. Therefor, I strongly
    >> recommend not activating JS.
    >>

    >
    > Do you mean this?
    >
    > "It was discovered that the same-origin check in Thunderbird could be
    > bypassed. If a user had JavaScript enabled and were tricked into opening
    > a malicious website, an attacker may be able to execute JavaScript in
    > the context of a different website. (CVE-2008-3835) "
    >


    While Tb2 is not effected directly by some changes in the Gecko trunk, the
    degree the CAPS security policies in Tb are still valid is now
    questionable. I learned those policies nave not been audited in over 5 years.

    There for, I decided to no longer discuss how to activate JS without full
    disclosure, that the degree of risk is higher than previously believed.

    The only way it can be done for Tb is through the Config Edit and toggling
    the pref from false to true.

    --
    Ron K.
    Who is General Failure, and why is he searching my HDD?
    Kernel Restore reported Major Error used BSOD to msg the enemy!

  7. Re: Executing Scripts Embedded in HTML Emails

    BJ has written on 10/7/2008 7:18 PM:
    > Ron K. wrote:
    >
    >> Pete Holsberg on 10/7/2008 4:45 PM, keyboarded a reply:
    >>
    >>> Will TB execute scripts that are embedded in HTML emails

    >> It can. However a recent discovery found that Tb is at high risk to JS
    >> exploits. Unless a solution plan can be devised, future releases will
    >> loose JS functionality in the message pane. Therefor, I strongly
    >> recommend not activating JS.

    >
    > The MZ KB says "JavaScript is disabled by default for the "Mail &
    > Newsgroups" component , for security reasons"
    >
    > Is this correct or incorrect?
    >

    It's not disabled by default in TB.

    > And I assume the JS setting is found only in FF and not in TB? (I'm new
    > to both)
    >


    Not so.

    > I have NoScript in my FF. If I block or otherwise disable a script with
    > it, does that also extend to TB? (Of course, I wouldn't need to worry
    > about that if the KB is correct).
    >


    No. FF extensions are unaware of the existence of TB.

    You need to worry. :-)


  8. Re: Executing Scripts Embedded in HTML Emails

    The date and time was 10/7/2008 5:26 PM, and on a whim, Pete Holsberg
    pounded out on the keyboard:

    > BJ has written on 10/7/2008 7:18 PM:
    >> Ron K. wrote:
    >>
    >>> Pete Holsberg on 10/7/2008 4:45 PM, keyboarded a reply:
    >>>
    >>>> Will TB execute scripts that are embedded in HTML emails
    >>> It can. However a recent discovery found that Tb is at high risk to JS
    >>> exploits. Unless a solution plan can be devised, future releases will
    >>> loose JS functionality in the message pane. Therefor, I strongly
    >>> recommend not activating JS.

    >> The MZ KB says "JavaScript is disabled by default for the "Mail &
    >> Newsgroups" component , for security reasons"
    >>
    >> Is this correct or incorrect?
    >>

    > It's not disabled by default in TB.
    >
    >> And I assume the JS setting is found only in FF and not in TB? (I'm new
    >> to both)
    >>

    >
    > Not so.
    >
    >> I have NoScript in my FF. If I block or otherwise disable a script with
    >> it, does that also extend to TB? (Of course, I wouldn't need to worry
    >> about that if the KB is correct).
    >>

    >
    > No. FF extensions are unaware of the existence of TB.
    >
    > You need to worry. :-)
    >


    I believe JS is disabled. I had to allow it using 4 different lines in
    my user.js file for scripts to work properly.

    --
    Terry R.
    Anti-spam measures are included in my email address.
    Delete NOSPAM from the email address after clicking Reply.

  9. Re: Executing Scripts Embedded in HTML Emails

    Terry R. has written on 10/7/2008 8:34 PM:
    > The date and time was 10/7/2008 5:26 PM, and on a whim, Pete Holsberg
    > pounded out on the keyboard:
    >
    >
    >> BJ has written on 10/7/2008 7:18 PM:
    >>
    >>> Ron K. wrote:
    >>>
    >>>
    >>>> Pete Holsberg on 10/7/2008 4:45 PM, keyboarded a reply:
    >>>>
    >>>>
    >>>>> Will TB execute scripts that are embedded in HTML emails
    >>>>>
    >>>> It can. However a recent discovery found that Tb is at high risk to JS
    >>>> exploits. Unless a solution plan can be devised, future releases will
    >>>> loose JS functionality in the message pane. Therefor, I strongly
    >>>> recommend not activating JS.
    >>>>
    >>> The MZ KB says "JavaScript is disabled by default for the "Mail &
    >>> Newsgroups" component , for security reasons"
    >>>
    >>> Is this correct or incorrect?
    >>>
    >>>

    >> It's not disabled by default in TB.
    >>
    >>
    >>> And I assume the JS setting is found only in FF and not in TB? (I'm new
    >>> to both)
    >>>
    >>>

    >> Not so.
    >>
    >>
    >>> I have NoScript in my FF. If I block or otherwise disable a script with
    >>> it, does that also extend to TB? (Of course, I wouldn't need to worry
    >>> about that if the KB is correct).
    >>>
    >>>

    >> No. FF extensions are unaware of the existence of TB.
    >>
    >> You need to worry. :-)
    >>
    >>

    >
    > I believe JS is disabled. I had to allow it using 4 different lines in
    > my user.js file for scripts to work properly.
    >
    >

    Best for the OP to check, wouldn't you say?


  10. Re: Executing Scripts Embedded in HTML Emails

    Pete Holsberg wrote:

    > Ron K. has written on 10/7/2008 4:53 PM:
    >> It can. However a recent discovery found that Tb is at high risk
    >> to JS exploits. Unless a solution plan can be devised, future
    >> releases will loose JS functionality in the message pane.
    >> Therefor, I strongly recommend not activating JS.
    >>

    >
    > Thanks. Is there a simplet way to do that other than tools >
    > options > config editor and search for javascript?


    What you describe is pretty easy, entries in the config editor are in
    alphabetical order so scroll down to "security.enable_java".


    --
    XS11E, Killing all posts from Google Groups
    The Usenet Improvement Project:
    http://improve-usenet.org

  11. Re: Executing Scripts Embedded in HTML Emails

    Pete Holsberg wrote:
    > Terry R. has written on 10/7/2008 8:34 PM:
    >> The date and time was 10/7/2008 5:26 PM, and on a whim, Pete Holsberg
    >> pounded out on the keyboard:
    >>
    >>
    >>> BJ has written on 10/7/2008 7:18 PM:
    >>>
    >>>> Ron K. wrote:
    >>>>
    >>>>> Pete Holsberg on 10/7/2008 4:45 PM, keyboarded a reply:
    >>>>>
    >>>>>> Will TB execute scripts that are embedded in HTML emails
    >>>>>>
    >>>>> It can. However a recent discovery found that Tb is at high risk to
    >>>>> JS exploits. Unless a solution plan can be devised, future releases
    >>>>> will loose JS functionality in the message pane. Therefor, I
    >>>>> strongly recommend not activating JS.
    >>>> The MZ KB says "JavaScript is disabled by default for the "Mail &
    >>>> Newsgroups" component , for security reasons"
    >>>>
    >>>> Is this correct or incorrect?
    >>>>
    >>> It's not disabled by default in TB.
    >>>
    >>>
    >>>> And I assume the JS setting is found only in FF and not in TB? (I'm
    >>>> new to both)
    >>>>
    >>> Not so.
    >>>
    >>>
    >>>> I have NoScript in my FF. If I block or otherwise disable a script
    >>>> with
    >>>> it, does that also extend to TB? (Of course, I wouldn't need to worry
    >>>> about that if the KB is correct).
    >>>>
    >>> No. FF extensions are unaware of the existence of TB.
    >>>
    >>> You need to worry. :-)
    >>>
    >>>

    >>
    >> I believe JS is disabled. I had to allow it using 4 different lines
    >> in my user.js file for scripts to work properly.
    >>
    >>

    > Best for the OP to check, wouldn't you say?
    >

    OK . . . I have several listings, all default, in my TB about:config for
    java and javascript.

    The first is javascript.allow.mailnews and it's set to false.

    The second is javascript.enabled and that's set to true.

    The next is javascript.options.showInConsole and that's set to true.

    The next is javascript.options.strict and that's set to false.

    Then I have security.enable_java and that's set to true.

    From what I can gather from the KB's, there's three that don't really
    apply to disabling javascript embedded in emails:

    1. javascript.options.showInConsole

    2. javascript.options.strict

    3. security.enable_java.

    But the KB's are not really clear about javascript.allow.mailnews and
    javascript.enabled. And what's more confusing to me is that while
    javascript.allow.mailnews is set to false, javascript.enabled is set to
    true. Intuitively it would seem that javascript.enabled would determine
    enabling/disabling and I should toggle that false.

    But then a lot of these things are anything BUT intuitive.

    So, before I toggle the wrong one and maybe mess things up, I thought
    I'd ask for some guidance here.

    And the reason I brought up security.enable_java is that a poster here
    mentioned it in this thread. That confused me even more.

    And they are all default settings, and since a poster here said "It's
    not disabled by default in TB.", I'm REALLY confused.

    So which one should I toggle to disable embedded javascript in emails
    and newsgroups, or are my settings OK and should I just leave things alone??




  12. Re: Executing Scripts Embedded in HTML Emails

    BJ on 10/8/2008 12:09 AM, keyboarded a reply:
    > Pete Holsberg wrote:
    >> Terry R. has written on 10/7/2008 8:34 PM:
    >>> The date and time was 10/7/2008 5:26 PM, and on a whim, Pete Holsberg
    >>> pounded out on the keyboard:
    >>>
    >>>
    >>>> BJ has written on 10/7/2008 7:18 PM:
    >>>>
    >>>>> Ron K. wrote:
    >>>>>
    >>>>>> Pete Holsberg on 10/7/2008 4:45 PM, keyboarded a reply:
    >>>>>>
    >>>>>>> Will TB execute scripts that are embedded in HTML emails
    >>>>>>>
    >>>>>> It can. However a recent discovery found that Tb is at high risk
    >>>>>> to JS exploits. Unless a solution plan can be devised, future
    >>>>>> releases will loose JS functionality in the message pane.
    >>>>>> Therefor, I strongly recommend not activating JS.
    >>>>> The MZ KB says "JavaScript is disabled by default for the "Mail &
    >>>>> Newsgroups" component , for security reasons"
    >>>>>
    >>>>> Is this correct or incorrect?
    >>>>>
    >>>> It's not disabled by default in TB.
    >>>>
    >>>>
    >>>>> And I assume the JS setting is found only in FF and not in TB?
    >>>>> (I'm new to both)
    >>>>>
    >>>> Not so.
    >>>>
    >>>>
    >>>>> I have NoScript in my FF. If I block or otherwise disable a script
    >>>>> with
    >>>>> it, does that also extend to TB? (Of course, I wouldn't need to worry
    >>>>> about that if the KB is correct).
    >>>>>
    >>>> No. FF extensions are unaware of the existence of TB.
    >>>>
    >>>> You need to worry. :-)
    >>>>
    >>>>
    >>>
    >>> I believe JS is disabled. I had to allow it using 4 different lines
    >>> in my user.js file for scripts to work properly.
    >>>
    >>>

    >> Best for the OP to check, wouldn't you say?
    >>

    > OK . . . I have several listings, all default, in my TB about:config for
    > java and javascript.
    >
    > The first is javascript.allow.mailnews and it's set to false.
    >
    > The second is javascript.enabled and that's set to true.
    >
    > The next is javascript.options.showInConsole and that's set to true.
    >
    > The next is javascript.options.strict and that's set to false.
    >
    > Then I have security.enable_java and that's set to true.
    >
    > From what I can gather from the KB's, there's three that don't really
    > apply to disabling javascript embedded in emails:
    >
    > 1. javascript.options.showInConsole
    >
    > 2. javascript.options.strict
    >
    > 3. security.enable_java.
    >
    > But the KB's are not really clear about javascript.allow.mailnews and
    > javascript.enabled. And what's more confusing to me is that while
    > javascript.allow.mailnews is set to false, javascript.enabled is set to
    > true. Intuitively it would seem that javascript.enabled would determine
    > enabling/disabling and I should toggle that false.
    >
    > But then a lot of these things are anything BUT intuitive.
    >
    > So, before I toggle the wrong one and maybe mess things up, I thought
    > I'd ask for some guidance here.
    >
    > And the reason I brought up security.enable_java is that a poster here
    > mentioned it in this thread. That confused me even more.
    >
    > And they are all default settings, and since a poster here said "It's
    > not disabled by default in TB.", I'm REALLY confused.
    >
    > So which one should I toggle to disable embedded javascript in emails
    > and newsgroups, or are my settings OK and should I just leave things
    > alone??
    >
    >
    >


    The javascript.allow.mailnews set to false is what stops JS embedded in
    messages from being processed.

    This javascript.options.showInConsole permits detected JS errors to be
    displayed in the error console. That is an aid to bug reporting and the
    Tools menu is where You can launch the dialog. It will also list style
    errors in the Warnings tab.



    --
    Ron K.
    Who is General Failure, and why is he searching my HDD?
    Kernel Restore reported Major Error used BSOD to msg the enemy!

  13. Re: Executing Scripts Embedded in HTML Emails

    *-* On Tue, 07 Oct 2008, at 20:11:45 -0400,
    *-* In Article WsWdnUc4LpA1Z3bVnZ2dnUVZ_rDinZ2d@mozilla.org,
    *-* Ron K. wrote
    *-* About Re: Executing Scripts Embedded in HTML Emails

    > Pete Holsberg on 10/7/2008 7:15 PM, keyboarded a reply:
    >> Ron K. has written on 10/7/2008 4:53 PM:
    >>> Pete Holsberg on 10/7/2008 4:45 PM, keyboarded a reply:
    >>>> Will TB execute scripts that are embedded in HTML emails?


    >>> It can. However a recent discovery found that Tb is at high risk
    >>> to JS exploits. Unless a solution plan can be devised, future
    >>> releases will loose JS functionality in the message pane.
    >>> Therefor, I strongly recommend not activating JS.


    >> Do you mean this?


    >> "It was discovered that the same-origin check in Thunderbird could
    >> be bypassed. If a user had JavaScript enabled and were tricked into
    >> opening a malicious website, an attacker may be able to execute
    >> JavaScript in the context of a different website. (CVE-2008-3835) "


    > While Tb2 is not effected directly by some changes in the Gecko
    > trunk, the degree the CAPS security policies in Tb are still valid
    > is now questionable. I learned those policies nave not been audited
    > in over 5 years.


    > There for, I decided to no longer discuss how to activate JS without
    > full disclosure, that the degree of risk is higher than previously
    > believed.


    > The only way it can be done for Tb is through the Config Edit and
    > toggling the pref from false to true.


    My TB 1.5 has

    Tools --> Options --> Privacy --> [General tab]

    [x] Block JavaScript in mail messages

    which toggles the javascript.allow.mailnews preference found in the
    Config editor. Is that UI option still available in TB2 or has it
    been removed?

    Ken Whiton

    FIDO: 1:132/152
    InterNet: kenwhiton@surfglobal.net.INVAL (remove the obvious to reply)

  14. Re: Executing Scripts Embedded in HTML Emails

    Ken Whiton on 10/8/2008 2:39 AM, keyboarded a reply:
    > *-* On Tue, 07 Oct 2008, at 20:11:45 -0400,
    > *-* In Article WsWdnUc4LpA1Z3bVnZ2dnUVZ_rDinZ2d@mozilla.org,
    > *-* Ron K. wrote
    > *-* About Re: Executing Scripts Embedded in HTML Emails
    >
    >> Pete Holsberg on 10/7/2008 7:15 PM, keyboarded a reply:
    >>> Ron K. has written on 10/7/2008 4:53 PM:
    >>>> Pete Holsberg on 10/7/2008 4:45 PM, keyboarded a reply:
    >>>>> Will TB execute scripts that are embedded in HTML emails?

    >
    >>>>

    >
    >> The only way it can be done for Tb is through the Config Edit and
    >> toggling the pref from false to true.

    >
    > My TB 1.5 has
    >
    > Tools --> Options --> Privacy --> [General tab]
    >
    > [x] Block JavaScript in mail messages
    >
    > which toggles the javascript.allow.mailnews preference found in the
    > Config editor. Is that UI option still available in TB2 or has it
    > been removed?
    >


    It was removed from Tb 2.0.0.x and the default set to false.

    --
    Ron K.
    Who is General Failure, and why is he searching my HDD?
    Kernel Restore reported Major Error used BSOD to msg the enemy!

  15. Re: Executing Scripts Embedded in HTML Emails

    The date and time was 10/7/2008 6:42 PM, and on a whim, XS11E pounded
    out on the keyboard:

    > Pete Holsberg wrote:
    >
    >> Ron K. has written on 10/7/2008 4:53 PM:
    >>> It can. However a recent discovery found that Tb is at high risk
    >>> to JS exploits. Unless a solution plan can be devised, future
    >>> releases will loose JS functionality in the message pane.
    >>> Therefor, I strongly recommend not activating JS.
    >>>

    >> Thanks. Is there a simplet way to do that other than tools >
    >> options > config editor and search for javascript?

    >
    > What you describe is pretty easy, entries in the config editor are in
    > alphabetical order so scroll down to "security.enable_java".
    >
    >


    Java isn't the same as JavaScript.

    --
    Terry R.
    Anti-spam measures are included in my email address.
    Delete NOSPAM from the email address after clicking Reply.

  16. Re: Executing Scripts Embedded in HTML Emails

    XS11E has written on 10/7/2008 9:42 PM:
    > Pete Holsberg wrote:
    >
    >
    >> Ron K. has written on 10/7/2008 4:53 PM:
    >>
    >>> It can. However a recent discovery found that Tb is at high risk
    >>> to JS exploits. Unless a solution plan can be devised, future
    >>> releases will loose JS functionality in the message pane.
    >>> Therefor, I strongly recommend not activating JS.
    >>>
    >>>

    >> Thanks. Is there a simplet way to do that other than tools >
    >> options > config editor and search for javascript?
    >>

    >
    > What you describe is pretty easy, entries in the config editor are in
    > alphabetical order so scroll down to "security.enable_java".
    >
    >


    That's for Java, not javascript.

  17. Re: Executing Scripts Embedded in HTML Emails

    Ron K. has written on 10/8/2008 1:02 AM:
    > BJ on 10/8/2008 12:09 AM, keyboarded a reply:
    >
    >>
    >> OK . . . I have several listings, all default, in my TB about:config for
    >> java and javascript.
    >>
    >> The first is javascript.allow.mailnews and it's set to false.
    >>
    >> The second is javascript.enabled and that's set to true.
    >>
    >> The next is javascript.options.showInConsole and that's set to true.
    >>
    >> The next is javascript.options.strict and that's set to false.
    >>
    >> Then I have security.enable_java and that's set to true.
    >>
    >> From what I can gather from the KB's, there's three that don't really
    >> apply to disabling javascript embedded in emails:
    >>
    >> 1. javascript.options.showInConsole
    >>
    >> 2. javascript.options.strict
    >>
    >> 3. security.enable_java.
    >>
    >> But the KB's are not really clear about javascript.allow.mailnews and
    >> javascript.enabled. And what's more confusing to me is that while
    >> javascript.allow.mailnews is set to false, javascript.enabled is set to
    >> true. Intuitively it would seem that javascript.enabled would determine
    >> enabling/disabling and I should toggle that false.
    >>
    >> But then a lot of these things are anything BUT intuitive.
    >>
    >> So, before I toggle the wrong one and maybe mess things up, I thought
    >> I'd ask for some guidance here.
    >>
    >> And the reason I brought up security.enable_java is that a poster here
    >> mentioned it in this thread. That confused me even more.
    >>
    >> And they are all default settings, and since a poster here said "It's
    >> not disabled by default in TB.", I'm REALLY confused.
    >>
    >> So which one should I toggle to disable embedded javascript in emails
    >> and newsgroups, or are my settings OK and should I just leave things
    >> alone??
    >>

    >
    > The javascript.allow.mailnews set to false is what stops JS embedded in
    > messages from being processed.
    >


    That's what it says at http://preferential.mozdev.org/preferences.html.
    However, where else would javascript be executed? And why is there a
    javascript.enabled, true by default? I set it to false. MAybe belt and
    suspenders, but ...



  18. Re: Executing Scripts Embedded in HTML Emails

    Ron K. wrote:
    > BJ on 10/8/2008 12:09 AM, keyboarded a reply:
    >> Pete Holsberg wrote:
    >>> Terry R. has written on 10/7/2008 8:34 PM:
    >>>> The date and time was 10/7/2008 5:26 PM, and on a whim, Pete
    >>>> Holsberg pounded out on the keyboard:
    >>>>
    >>>>
    >>>>> BJ has written on 10/7/2008 7:18 PM:
    >>>>>
    >>>>>> Ron K. wrote:
    >>>>>>
    >>>>>>> Pete Holsberg on 10/7/2008 4:45 PM, keyboarded a reply:
    >>>>>>>
    >>>>>>>> Will TB execute scripts that are embedded in HTML emails
    >>>>>>>>
    >>>>>>> It can. However a recent discovery found that Tb is at high risk
    >>>>>>> to JS exploits. Unless a solution plan can be devised, future
    >>>>>>> releases will loose JS functionality in the message pane.
    >>>>>>> Therefor, I strongly recommend not activating JS.
    >>>>>> The MZ KB says "JavaScript is disabled by default for the "Mail &
    >>>>>> Newsgroups" component , for security reasons"
    >>>>>>
    >>>>>> Is this correct or incorrect?
    >>>>>>
    >>>>> It's not disabled by default in TB.
    >>>>>
    >>>>>
    >>>>>> And I assume the JS setting is found only in FF and not in TB?
    >>>>>> (I'm new to both)
    >>>>>>
    >>>>> Not so.
    >>>>>
    >>>>>
    >>>>>> I have NoScript in my FF. If I block or otherwise disable a
    >>>>>> script with
    >>>>>> it, does that also extend to TB? (Of course, I wouldn't need to
    >>>>>> worry
    >>>>>> about that if the KB is correct).
    >>>>>>
    >>>>> No. FF extensions are unaware of the existence of TB.
    >>>>>
    >>>>> You need to worry. :-)
    >>>>>
    >>>>>
    >>>>
    >>>> I believe JS is disabled. I had to allow it using 4 different lines
    >>>> in my user.js file for scripts to work properly.
    >>>>
    >>>>
    >>> Best for the OP to check, wouldn't you say?
    >>>

    >> OK . . . I have several listings, all default, in my TB about:config for
    >> java and javascript.
    >>
    >> The first is javascript.allow.mailnews and it's set to false.
    >>
    >> The second is javascript.enabled and that's set to true.
    >>
    >> The next is javascript.options.showInConsole and that's set to true.
    >>
    >> The next is javascript.options.strict and that's set to false.
    >>
    >> Then I have security.enable_java and that's set to true.
    >>
    >> From what I can gather from the KB's, there's three that don't really
    >> apply to disabling javascript embedded in emails:
    >>
    >> 1. javascript.options.showInConsole
    >>
    >> 2. javascript.options.strict
    >>
    >> 3. security.enable_java.
    >>
    >> But the KB's are not really clear about javascript.allow.mailnews and
    >> javascript.enabled. And what's more confusing to me is that while
    >> javascript.allow.mailnews is set to false, javascript.enabled is set to
    >> true. Intuitively it would seem that javascript.enabled would determine
    >> enabling/disabling and I should toggle that false.
    >>
    >> But then a lot of these things are anything BUT intuitive.
    >>
    >> So, before I toggle the wrong one and maybe mess things up, I thought
    >> I'd ask for some guidance here.
    >>
    >> And the reason I brought up security.enable_java is that a poster here
    >> mentioned it in this thread. That confused me even more.
    >>
    >> And they are all default settings, and since a poster here said "It's
    >> not disabled by default in TB.", I'm REALLY confused.
    >>
    >> So which one should I toggle to disable embedded javascript in emails
    >> and newsgroups, or are my settings OK and should I just leave things
    >> alone??
    >>
    >>
    >>

    >
    > The javascript.allow.mailnews set to false is what stops JS embedded in
    > messages from being processed.
    >
    > This javascript.options.showInConsole permits detected JS errors to be
    > displayed in the error console. That is an aid to bug reporting and the
    > Tools menu is where You can launch the dialog. It will also list style
    > errors in the Warnings tab.
    >
    >
    >

    Got it. So I don't need to toggle anything . . . just leave it the way
    it is.

    --
    Anti-spam measures are included in my email address.
    Delete NOSPAM from the email address after clicking Reply.

  19. Re: Executing Scripts Embedded in HTML Emails

    Pete Holsberg wrote:
    > Ron K. has written on 10/8/2008 1:02 AM:
    >> BJ on 10/8/2008 12:09 AM, keyboarded a reply:
    >>
    >>>
    >>> OK . . . I have several listings, all default, in my TB about:config for
    >>> java and javascript.
    >>>
    >>> The first is javascript.allow.mailnews and it's set to false.
    >>>
    >>> The second is javascript.enabled and that's set to true.
    >>>
    >>> The next is javascript.options.showInConsole and that's set to true.
    >>>
    >>> The next is javascript.options.strict and that's set to false.
    >>>
    >>> Then I have security.enable_java and that's set to true.
    >>>
    >>> From what I can gather from the KB's, there's three that don't really
    >>> apply to disabling javascript embedded in emails:
    >>>
    >>> 1. javascript.options.showInConsole
    >>>
    >>> 2. javascript.options.strict
    >>>
    >>> 3. security.enable_java.
    >>>
    >>> But the KB's are not really clear about javascript.allow.mailnews and
    >>> javascript.enabled. And what's more confusing to me is that while
    >>> javascript.allow.mailnews is set to false, javascript.enabled is set to
    >>> true. Intuitively it would seem that javascript.enabled would determine
    >>> enabling/disabling and I should toggle that false.
    >>>
    >>> But then a lot of these things are anything BUT intuitive.
    >>>
    >>> So, before I toggle the wrong one and maybe mess things up, I thought
    >>> I'd ask for some guidance here.
    >>>
    >>> And the reason I brought up security.enable_java is that a poster here
    >>> mentioned it in this thread. That confused me even more.
    >>>
    >>> And they are all default settings, and since a poster here said "It's
    >>> not disabled by default in TB.", I'm REALLY confused.
    >>>
    >>> So which one should I toggle to disable embedded javascript in emails
    >>> and newsgroups, or are my settings OK and should I just leave things
    >>> alone??
    >>>

    >>
    >> The javascript.allow.mailnews set to false is what stops JS embedded
    >> in messages from being processed.
    >>

    >
    > That's what it says at http://preferential.mozdev.org/preferences.html.
    > However, where else would javascript be executed? And why is there a
    > javascript.enabled, true by default? I set it to false. MAybe belt and
    > suspenders, but ...
    >
    >

    Echo on the second question . . .

    --
    Anti-spam measures are included in my email address.
    Delete all the NOSPAMs from the email address after clicking Reply.

  20. Re: Executing Scripts Embedded in HTML Emails

    Pete Holsberg wrote:

    > XS11E has written on 10/7/2008 9:42 PM:
    >> What you describe is pretty easy, entries in the config editor
    >> are in alphabetical order so scroll down to
    >> "security.enable_java".

    >
    > That's for Java, not javascript.


    My config editor shows javascript is set to "false" by default so
    there's no need to look for it, is there, unless the OP has previously
    edited the config settings.

    The only java entry that is set "true" by default is the one I showed
    above.



    --
    XS11E, Killing all posts from Google Groups
    The Usenet Improvement Project:
    http://improve-usenet.org

+ Reply to Thread
Page 1 of 2 1 2 LastLast