cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
n0u355lo
Making moves
Status: New idea

My feature request is to disable javascript by default on non-HTTPS sites, and have a permission popup appear (like Canvas or Location request permissions) if the site tries to use javascript, with a short explanation like "example.com is not a secure site, but is trying to run javascript. This is not safe and could be abused by an attacker to take over your browser or computer. Learn More..." with a link to a mozilla support page.

The reasoning is that malicious javascript can be injected into non-HTTPS sites by an attacker, for example an attacker sharing the same Wi-Fi network in a coffee shop or in a position to monitor network traffic.

The "HTTPS-Only Mode" doesn't quite do the same thing, as someone could be reasonably cautious about visiting only legitimate (malware-free) sites, and still want to visit a legitimate non-HTTPS site (like some older popular "personal homepage"-style sites that were set up before HTTPS was common, and were never updated). Also this would protect people who don't have the "HTTPS-Only Mode" setting enabled.

Hopefully this is a good idea, and if implemented other browsers could copy it.

Firefox  

3 Comments
Status changed to: New idea
Jon
Community Manager
Community Manager

Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes (aka kudos) and comments.

cboozar
Employee
Employee

Thanks for the recommendation @n0u355lo. We are actually looking at a number of scenarios to limit script execution for exactly the reasons you outline, but you bring up an excellent point that non-HTTPS sites might actually make for a great trigger for us to be more aggressive about how and when we communicate that behavior to the user. I look forward to seeing what others think and seeing how we can fold your feedback into our roadmap!

anon17402101
Strollin' around

This is actually an good idea. Currently nobody do this ,although JavaScript on http sites is dangerous.