Tuesday, September 06, 2011

» FF6/FF7: Re-enable javascript: from urlbar +

Jump a bit for instructions on how to re-enable execution of javascript: urls in Firefox 6.0.1 and 7.0.

Background

So, much to my surprise, javascript: urls stopped working after I upgraded to FF6. I assumed it was a bug, and would be fixed soon enough. After all, "ReferenceError: alert is not defined" couldn't be intentional, right? I mean, javascript:alert(foo.prop); has worked since before javascript was even invented, amirite?

Not so. In bug 527530 it was considered necessary to remove execution of even typed-in javascript: urls in order to circumvent naive users being tricked into running malicious code. Chrome chose to address the social problem with a technical solution also--by disabling execution of drag-dropped and pasted javascript, but not removing the execution of typed-in javascript. Chrome also restores the urlbar after running the script. I have no idea what IE does, but the bug mentioned that it addresses the issue without removing typed javascript url execution.

I tend to think that it's a staple tool used by thousands daily, competing browsers support it, and I can't see a good reason why it shouldn't be available. Counter arguments that it takes fewer keystrokes to launch Web Console or Scratchpad miss the fact that not everyone has incorporated those tools into their workflows. Requiring developers to adopt completely new workflows to use Firefox is a Really Bad Idea(TM), especially if they've been productive with their current workflows for a long time. Further, that's a user interface design concern and shouldn't be rolled into the security concern. And as far as ui design goes, like it or not, besides javascript execution, the urlbar is also used to launch the download manager (from a user perspective, "paste this in your browser to download X" is completely different from "navigate to google"), to view internal information and state (about:*), and to launch the source viewer (view-source:). There are probably more I'm forgetting.

The only compelling argument for removing javscript execution from the urlbar completely is that users may still be tricked into pasting bad scripts, they'll just have to type a letter or two before hitting enter--"Check out the super secret awesome page! Paste this in your browser then press the Home key and type ja and press enter: vascript:badstuff()". Since the hypothetical naive user thinks the urlbar is only for urls, this could be a successful attack vector, but I'm not so sure it would be.

In any case, I'm perfectly fine with having a default-false boolean pref. This allows for developers to enable it, and it mitigates all the security concerns as it requires explicit opt-in. Bug 680302 is tracking adding such a pref.

Fixing Firefox 6.0.1 and 7.0

If you're like me and can't wait to turn urlbar execution of javascript back on, I'm including a backpatch to Firefox 6.0.1 and instructions to apply it.

Note: This is only tested on Linux, but should be identical on Windows and Mac, you'll just have to find where omni.jar is stored on those platforms and find tools un/zip it (it's a PKZIP format file), and to apply universal difference files.

Edit: This process works for FF7 release, you just need to adjust the paths and use something like 10 fuzziness when applying the patch (patch -p0 -F10 < ...).

All platforms

Go to about:config and right click, add a new boolean preference named browser.urlbar.allowInheritPrincipal and set it to true. Shutdown the browser.

Linux

mkdir ff6
cd ff6
wget -O ff_urlbar_javascript_pref.diff \
'http://sites.google.com/site/monkeesage/files/ff_urlbar_javascript_pref.diff?d=1'
unzip /usr/lib/firefox-6.0.1/omni.jar
patch -p0 < ff_urlbar_javascript_pref.diff
sudo rm /usr/lib/firefox-6.0.1/omni.jar
sudo zip -r /usr/lib/firefox-6.0.1/omni.jar .
cd ..
rm -rf ff6

Others

So first grab the patch: ff_urlbar_javascript_pref.diff

Make a directory and extract omni.jar into it.

Apply the patch (from inside the directory).

Create a new zip archive named omni.jar with the contents of the directory you extracted to, and move this over the original omni.zip. Look inside both before moving yours over the original, to make sure they have the same directory structure.

Restart Fixefox and you're back to being a normal, competent adult. :)

Labels: , , ,