# Mozilla privacy bug

## SQLBoy

This was posted on slashdot.org today and I figured I would pass it on.  This page has the bug and the fix.  I put these lines in the  

/usr/lib/mozilla/defaults/pref/all.js file

```

pref("network.http.sendRefererHeader", 0);

pref("capability.policy.default.Window.onunload", "noAccess");

```

Here is the link:

http://members.ping.de/~sven/mozbug/refcook.html

Matt

----------

## rac

Yet another reason to turn off Javascript.

----------

## SQLBoy

Yeah, I know.  I wish I could turn it off myself but I need it for a couple sites.  What would be cool if Galeon would let you actually specify "javascript" sites and block it on all other sites.

----------

## infox

I would setup a http proxy such as oops.  I use this at home and I am not affected by this bug, and its quite nice along with junkbuster.

----------

## pilla

I've tried to reproduce the bug using the link in Slashdot, but wasn't able. Running mozilla 1.0-r3

----------

## rojaro

there is no need to disable javascript completely. adding the following line is fully sufficient.

```
pref("capability.policy.default.Window.onunload", "noAccess");
```

disabling the sendRefererHeader function will result in lots of dynamic websites not working for you.

----------

## rac

 *rojaro wrote:*   

> there is no need to disable javascript completely.

 

I maintain that the security model of Javascript is broken as designed, and in my opinion it allows people who write websites to run arbitrary code on your machine under the user id of your browser.  I do not remember one single security-related problem ever discovered in any web browser that could not have been completely avoided by turning Javascript off.

----------

## pjp

Unfortunately, turning javascript off can make browsing non-functional  :Sad: 

----------

## Naan Yaar

Are we forgetting ActiveX here  :Smile: ?

 *rac wrote:*   

> ...I do not remember one single security-related problem ever discovered in any web browser that could not have been completely avoided by turning Javascript off.

 

----------

## rac

 *Naan Yaar wrote:*   

> Are we forgetting ActiveX here ?

 

Excuse me.  Is it possible to turn off ActiveX?  I've never used MSIE or Windows.

----------

## Naan Yaar

You can disable ActiveX in MSIE in addition to Javascript and Java.  ActiveX is a bad idea.

 *rac wrote:*   

> ...Excuse me.  Is it possible to turn off ActiveX?  I've never used MSIE or Windows.

 

----------

## rizzo

 *rac wrote:*   

> I've never used MSIE or Windows.

 

You've never used Windows?  You, sir, are my hero.

----------

## pilla

A virgin.... he's pure  :Cool: 

 *rizzo wrote:*   

>  *rac wrote:*   I've never used MSIE or Windows. 
> 
> You've never used Windows?  You, sir, are my hero.

 

----------

## rojaro

 *rac wrote:*   

>  *rojaro wrote:*   there is no need to disable javascript completely. 
> 
> I maintain that the security model of Javascript is broken as designed, and in my opinion it allows people who write websites to run arbitrary code on your machine under the user id of your browser.  I do not remember one single security-related problem ever discovered in any web browser that could not have been completely avoided by turning Javascript off.

 

thats a pretty harsh view ... because you could say the same about ANY and EVERY piece of software ever made ... so if one's scared about "new" technologies like javascript as in our example (or .NET, Java, C++, Perl, PHP etc), one shouldnt use computers at all ... avoiding an trafficaccident by not using cars wont solve the problem of traffic accidents in general ... dont fear - just master the technology before it masters you

----------

## pjp

 *rojaro wrote:*   

> avoiding an trafficaccident by not using cars wont solve the problem of traffic accidents in general

 No, but I could certainly choose to not drive a car from a particular manufacturer that had a history of safety problems.

----------

## Naan Yaar

There is a clear difference between technologies that you choose to run explicitly on your computer and stuff that creeps in insidiously through your browser.  Using a web-browser as an program delivery mechanism is fraught with risks, as evidenced by the number of security issues with Javascript/ActiveX/Flash/Java...

The issue is not the technology itself; rather whether it is delivered and used within reasonable security constructs.

 *rojaro wrote:*   

> ...
> 
> thats a pretty harsh view ... because you could say the same about ANY and EVERY piece of software ever made ... so if one's scared about "new" technologies like javascript as in our example (or .NET, Java, C++, Perl, PHP etc), one shouldnt use computers at all ... avoiding an trafficaccident by not using cars wont solve the problem of traffic accidents in general ... dont fear - just master the technology before it masters you

 

----------

## dioxmat

btw, do disable js on the fly, have a look at http://xulplanet.com/downloads/prefbar/

----------

## pjp

 *dioxmat wrote:*   

> disable js on the fly

 Galeon users can select 'Settings" -> "Allow Java" or "Allow JavaScript".  I didn't see anything in Mozilla.

----------

## rojaro

 *kanuslupus wrote:*   

>  *rojaro wrote:*   avoiding an trafficaccident by not using cars wont solve the problem of traffic accidents in general No, but I could certainly choose to not drive a car from a particular manufacturer that had a history of safety problems.

 

hehe ... name ONE car manufacturer which never called back a modell due to construction/technical design problems ... :)

----------

## pjp

Having a history of problems vs. a few, or minor problems, is a big difference.  I didn't say zero problems.

----------

## rojaro

 *kanuslupus wrote:*   

>  *dioxmat wrote:*   disable js on the fly Galeon users can select 'Settings" -> "Allow Java" or "Allow JavaScript".  I didn't see anything in Mozilla.

 

Edit -> Preferences -> Advanced -> Scripts & Plugins 

"Enable Javascript for" [x] Navigator

----------

## pjp

That is a bit more involved than 'on the fly' suggests IMO.  Thanks for pointing it out though.

----------

## dioxmat

 *kanuslupus wrote:*   

>  *dioxmat wrote:*   disable js on the fly Galeon users can select 'Settings" -> "Allow Java" or "Allow JavaScript".  I didn't see anything in Mozilla.

 

hence this prefbar.

the pref is buried in Edit > Preferencse > Advanced. this prefbar, which kicks ass btw, allows quik modifications of just about any pref, among other things.

----------

## rojaro

yeah, prefbar rocks ... especially those little features which allow to change the  useragent on the fly and enabling/disabling popup's and java

----------

## rac

@rizzo re: my Windows virginity.  Actually, I did use Windows 1.0 or 2.0 (definitely pre-3.1) for about six weeks once in late 1988, because it was the way to get PageMaker running on the DOS machines at work.

 *rojaro wrote:*   

> so if one's scared about "new" technologies like javascript as in our example (or .NET, Java, C++, Perl, PHP etc), one shouldnt use computers at all

 

As Naan Yaar pointed out (probably more eloquently than I am going to here), there are differences, and it's the mode of deployment that bothers me.

.NET I don't know enough about to evaluate, but I understand the rudiments of SOAP and XML-RPC, and as much as I admire Dave Winer (I bought Frontier 1.0, still have the cow-skull T-shirt to prove it, and was a rabid Frontier hacker and evangelist for a few years), and as cool hacks as they are, the security of those protocols does indeed give me cause for concern.

Java has security built into the design of the language.  The privilege system is strong, the sandbox is part of the VM, and illegal instructions and buffer overflows and such are avoided by disallowing pointer access to raw memory.  Comparing Java and Javascript (just in case anyone following this thread is unaware of the history, JavaScript (I think it was called LiveScript originally) was a Netscape thing and has absolutely nothing whatsoever to do with Java - some marketroids at Netscape decided that putting "Java" in the name made it sound better) is a good exercise.  Java was designed to run untrusted code in a secure manner.  Javascript is designed to allow authors of web pages to remotely control operation of the browser's software.

As far as C++, Perl and PHP go, where they are used on the web, they run on the server.  I see only the HTML that they output.  HTML is not code that executes on my system.  HTML is data that is rendered by my browser.  There is no security implication.  If you are referring to security problems on the server side, this is a different discussion (and I will be glad to have it somewhere, if you wish).

Many security exploits refer to the ability of a remote attacker to execute arbitrary code on the exploited machine.  If I compile and install source code with "emerge", I am choosing to trust the Gentoo ebuild maintainer, and whoever runs the mirror I am downloading from.  There is accountability of a sort - if there is a problem, I know where to turn to report it, and I have the source code so that I can figure out what is happening.

If I open a URL in my browser, it will give me a file to save on my system and do whatever I want to do with it, or it will render HTML in a window for me.  If I have Java enabled, it may download some applets and run them in a sandbox.  If, on the other hand, I have Javascript turned on, the simple act of accessing a URL with my browser potentially gives the author of that web page the ability to execute arbitrary code on my computer under my username with the privileges of that account.  That is not acceptable to me.

I don't care if it makes the browsing experience less rich or easy.  For example, I have to type the smilies in my posts, because clicking on them doesn't do anything.  Any website that makes some content only available if a browser has enabled Javascript is poorly written, IMO, and I avoid them.  Sometimes I write them a letter explaining this position.

Note that I am not trying to eradicate Javascript from the face of the planet.  If people want to use it, and people want to write it, that's fine.  Where I get angry is when people who create web pages choose to block access to people because they do not enable Javascript, even when there is no good technical reason for doing so.  Case in point: Javascript menus that do not degrade to normal HTML links.  I see absolutely no reason for this except rudeness, laziness, or ignorance.

----------

## rojaro

 *rac wrote:*   

> As far as C++, Perl and PHP go, where they are used on the web, they run on the server.  I see only the HTML that they output.  HTML is not code that executes on my system.  HTML is data that is rendered by my browser.  There is no security implication.  If you are referring to security problems on the server side, this is a different discussion (and I will be glad to have it somewhere, if you wish).

 

Oh you can do far worse things ... there have been a few really bad exploits for php itself lately on which you can get the details on the php.net page and at security focus and glsa-announcements here. And also, as you have pointed out already, if the programm running in php or perl is badly implemented you'll often have even bigger holes (and there are LOTS of examples at securityfocus.com for that and both - php and perl).

 *rac wrote:*   

> If I open a URL in my browser, it will give me a file to save on my system and do whatever I want to do with it, or it will render HTML in a window for me.  If I have Java enabled, it may download some applets and run them in a sandbox.  If, on the other hand, I have Javascript turned on, the simple act of accessing a URL with my browser potentially gives the author of that web page the ability to execute arbitrary code on my computer under my username with the privileges of that account.  That is not acceptable to me.

 

but this is usually a problem of a very bad implementation of javascript (-> see ie). if the java runtime environment is badly designed (-> see microsofts java implementation) you probably can braek the sandbox and do what you want on a victims machine ... same applies to the really freaking activex crap from microsoft - i mean you connect to windowsupdate.microsoft.com and you'll have no idea what this activex-update&installation applet transmitts to microsoft amd if you dont use it you wont get any updates. (check m$-knowledge base ... in most cases it tells you now to consult windowsupdate.microsoft.com to get your securityholes fixed)

 *rac wrote:*   

> I don't care if it makes the browsing experience less rich or easy.  For example, I have to type the smilies in my posts, because clicking on them doesn't do anything.  Any website that makes some content only available if a browser has enabled Javascript is poorly written, IMO, and I avoid them.  Sometimes I write them a letter explaining this position.

 

well ... who needs stupid graphic smilies ... i disabled that function for posting messages entirely ... those graphic smilies sometimes really piss me off, especially when im posting some source code which contains e.g. "8)" or ":]" (as in "[:alpha:]" -> regular expressions)

 *rac wrote:*   

> Note that I am not trying to eradicate Javascript from the face of the planet.  If people want to use it, and people want to write it, that's fine.  Where I get angry is when people who create web pages choose to block access to people because they do not enable Javascript, even when there is no good technical reason for doing so.  Case in point: Javascript menus that do not degrade to normal HTML links.  I see absolutely no reason for this except rudeness, laziness, or ignorance.

 

oh thats just so true ... or stuff like disabling right-clicking and popunders & popups (which mozilla cures pretty nicely)

----------

## rac

 *rojaro wrote:*   

> Oh you can do far worse things ... there have been a few really bad exploits for php itself lately [...] if the programm running in php or perl is badly implemented you'll often have even bigger holes (and there are LOTS of examples at securityfocus.com for that and both - php and perl).

 

True...but that's on the server side, right?  I fail to see how any of that can affect the client side, because all the client is seeing is HTML.  I guess if there was a buffer overflow in a rendering engine that was triggered by some bizarre HTML, you could make a DOS attack page - actually, come to think of it, someone mentioned that they managed to bring down an entire Windows environment in VMware trying to render the nested quote bomb thread.

 *Quote:*   

> but this is usually a problem of a very bad implementation of javascript (-> see ie).

 

No, I think it's more than that.  Javascript has no concept of security built into the language.  Java does.  With Javascript, the implementation has to actively try to stop unwanted things from happening.  With Java, the VM does this for you at a very low level by design, and you have to explicitly allow code to do potentially unsafe things.

 *Quote:*   

> if the java runtime environment is badly designed (-> see microsofts java implementation) you probably can braek the sandbox and do what you want on a victims machine

 

Yes, but that's a serious VM bug, and by definition if such bugs exist the VM cannot be certified as adhering to the Java Language Specification.  It's impossible to make a compliant VM that doesn't enforce strict security rules - I don't think the same is true of Javascript.

----------

## rojaro

 *rac wrote:*   

> True...but that's on the server side, right?  I fail to see how any of that can affect the client side, because all the client is seeing is HTML.

 

ah, got your point now :)

----------

