為了改善您的使用體驗,本網站正在進行維護,部分功能暫時無法使用。若本站的文件無法解決您的問題,想要向社群發問的話,請到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 發問,我們的社群成員將很快會回覆您的疑問。

搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

Is turning off iFrames via about:config > browser.frames.enabled;false broken in Firefox 23?

  • 2 回覆
  • 15 有這個問題
  • 7 次檢視
  • 最近回覆由 blurker

more options

I noticed that Firefox with version 23 removed option to turn OFF JavaScriipt from Tools > Options > Content menu http://www.extremetech.com/computing/163291-firefox-23-finally-kills-the-blink-tag-removes-ability-to-turn-off-javascript-introduces-new-logo

Recent events when allegedly FBI used JavaScript in iframe to exploit bug in Firefox with intentions to uncover identity of users of TOR network encouraged me to play with security settings a bit. More about how FBI exploited Firefox bug to execute malitious JavaScript on users computers: https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html More biased articles can be found in popular media articles. Just google "TOR exploit FBI"

ISSUE:

Symptoms: I noticed that turning iFrames OFF in about:config > browser.frames.enabled;false seems to not be working as expected. Iframes are still shown and JavaScript in them is executed. Doesnt work even after resterting Firefox.

Testing: I used this pages to test iFrames: •https://sites.google.com/site/annuairevin/test-pagehttp://www.w3schools.com/tags/tryit.asp?filename=tryhtml_iframehttp://www.quirksmode.org/iframetest.html

After I turned browser.frames.enabled OFF and restarted I noticed that iFrames are still shown on all 3 pages and JavaScript in them would be executed.

By blocking IFRAMES with NoScript blocking turned ON (you have to turn forbidding IFRAMES on manually in options http://i.imgur.com/7jctoTW.png) I managed to block IFRAMES on google and w3school pages.

!!!Text in iframe "Test page in iframe" on quirksmode test page was still shown even after I have frames turned OFF in about:config and I block all scripts and frames and iframes with NoScript.

If I open same page (http://www.quirksmode.org/iframetest.html) with Opera with iFrames blocked in Preferences, iFrame is not shown at all, browser doesnt even render empty square; but JavaScript in it is executed, if you dont disable JavaScript in Preferences > Advanced. I didnt test Chrome at all.


Possible things that can cause bug: •I am using NoScript 2.6.7, I turned it off and on but it is possible that it is overriding Firefox settings in about:config. when you serach about:config for "frames" there are many settings mentioning frames from NoScript and AdBlockPlus. •AdBlock Plus 2.3.2? Same reason as NoScript. •Fot the first time I noticed Shield in the address bar with "Firefox has blocked content that isnt secure" bubble. http://i.imgur.com/K4FL65n.png. I dont know how long this feature is implemented or what exactly it does, here are some details: https://support.mozilla.org/en-US/kb/how-does-content-isnt-secure-affect-my-safety?as=u&utm_source=inproduct


P.S. Just small remark. If that is true: "Finally, Firefox 23 removes the option to disable JavaScript from the Options pane — and if you had JavaScript turned off, it has been turned back on." There should be some warning when Firefox is updated that JS was turned ON. I think that for me FF updated silently without any messages. OR maybe I blatantly closed some windows, i dont remember well.

I noticed that Firefox with version 23 removed option to turn OFF JavaScriipt from Tools > Options > Content menu http://www.extremetech.com/computing/163291-firefox-23-finally-kills-the-blink-tag-removes-ability-to-turn-off-javascript-introduces-new-logo Recent events when allegedly FBI used JavaScript in iframe to exploit bug in Firefox with intentions to uncover identity of users of TOR network encouraged me to play with security settings a bit. More about how FBI exploited Firefox bug to execute malitious JavaScript on users computers: https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html More biased articles can be found in popular media articles. Just google "TOR exploit FBI" ISSUE: Symptoms: I noticed that turning iFrames OFF in about:config > browser.frames.enabled;false seems to not be working as expected. Iframes are still shown and JavaScript in them is executed. Doesnt work even after resterting Firefox. Testing: I used this pages to test iFrames: •https://sites.google.com/site/annuairevin/test-page •http://www.w3schools.com/tags/tryit.asp?filename=tryhtml_iframe •http://www.quirksmode.org/iframetest.html After I turned browser.frames.enabled OFF and restarted I noticed that iFrames are still shown on all 3 pages and JavaScript in them would be executed. By blocking IFRAMES with NoScript blocking turned ON (you have to turn forbidding IFRAMES on manually in options http://i.imgur.com/7jctoTW.png) I managed to block IFRAMES on google and w3school pages. !!!Text in iframe "Test page in iframe" on quirksmode test page was still shown even after I have frames turned OFF in about:config and I block all scripts and frames and iframes with NoScript. If I open same page (http://www.quirksmode.org/iframetest.html) with Opera with iFrames blocked in Preferences, iFrame is not shown at all, browser doesnt even render empty square; but JavaScript in it is executed, if you dont disable JavaScript in Preferences > Advanced. I didnt test Chrome at all. Possible things that can cause bug: •I am using NoScript 2.6.7, I turned it off and on but it is possible that it is overriding Firefox settings in about:config. when you serach about:config for "frames" there are many settings mentioning frames from NoScript and AdBlockPlus. •AdBlock Plus 2.3.2? Same reason as NoScript. •Fot the first time I noticed Shield in the address bar with "Firefox has blocked content that isnt secure" bubble. http://i.imgur.com/K4FL65n.png. I dont know how long this feature is implemented or what exactly it does, here are some details: https://support.mozilla.org/en-US/kb/how-does-content-isnt-secure-affect-my-safety?as=u&utm_source=inproduct P.S. Just small remark. If that is true: "Finally, Firefox 23 removes the option to disable JavaScript from the Options pane — and if you had JavaScript turned off, it has been turned back on." There should be some warning when Firefox is updated that JS was turned ON. I think that for me FF updated silently without any messages. OR maybe I blatantly closed some windows, i dont remember well.

所有回覆 (2)

more options

The documentation I find on browser.frames.enabled is very vague, but I can't see that it does anything currently. Is this a feature you used successfully in an earlier version?

The Mixed [Active] Content Blocker was turned on by default in Firefox 23. That would explain the shield icon. Not sure whether implementing that might have changed how iframes are handled.

more options

Thx. I dont know if that feature was working in any time during development. I just found suggestions on google that this is the way to turn off iFrames in Firefox. I didnt see anybody complaining it doesnt work, but also no conformations that is works.