This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Support
Support
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Feature Request: make javascript opt-in on non-HTTPS sites

n0u355lo
Making moves
‎12-17-2024 06:15 AM
Status: New idea

My feature request is to disable javascript by default on non-HTTPS sites, and have a permission popup appear (like Canvas or Location request permissions) if the site tries to use javascript, with a short explanation like "example.com is not a secure site, but is trying to run javascript. This is not safe and could be abused by an attacker to take over your browser or computer. Learn More..." with a link to a mozilla support page.

The reasoning is that malicious javascript can be injected into non-HTTPS sites by an attacker, for example an attacker sharing the same Wi-Fi network in a coffee shop or in a position to monitor network traffic.

The "HTTPS-Only Mode" doesn't quite do the same thing, as someone could be reasonably cautious about visiting only legitimate (malware-free) sites, and still want to visit a legitimate non-HTTPS site (like some older popular "personal homepage"-style sites that were set up before HTTPS was common, and were never updated). Also this would protect people who don't have the "HTTPS-Only Mode" setting enabled.

Hopefully this is a good idea, and if implemented other browsers could copy it.

Firefox  

Firefox
Firefox
See more ideas labeled with:
Comment
2 Comments
Status changed to: New idea
Jon
Community Manager
Community Manager
‎12-17-2024 06:54 AM
‎12-17-2024 06:54 AM

Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes (aka kudos) and comments.

cboozar
Employee
Employee
‎12-17-2024 07:32 AM
‎12-17-2024 07:32 AM

Thanks for the recommendation @n0u355lo. We are actually looking at a number of scenarios to limit script execution for exactly the reasons you outline, but you bring up an excellent point that non-HTTPS sites might actually make for a great trigger for us to be more aggressive about how and when we communicate that behavior to the user. I look forward to seeing what others think and seeing how we can fold your feedback into our roadmap!

Copyright © 2024 Khoros, LLC