Summary: | Provide API to disable potentially dangerous content in Browser | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Eclipse Project] Platform | Reporter: | Benjamin Pasero <bpasero> | ||||||
Component: | SWT | Assignee: | Grant Gayed <grant_gayed> | ||||||
Status: | NEW --- | QA Contact: | |||||||
Severity: | enhancement | ||||||||
Priority: | P3 | CC: | benjamin_pasero, daniel_megert, jacek.pospychala, mlists, steve_northover | ||||||
Version: | 3.3 | ||||||||
Target Milestone: | --- | ||||||||
Hardware: | PC | ||||||||
OS: | Windows XP | ||||||||
Whiteboard: | |||||||||
Bug Depends on: | |||||||||
Bug Blocks: | 228608, 265808 | ||||||||
Attachments: |
|
Description
Benjamin Pasero
2006-10-22 06:50:44 EDT
I found out that its easy to disable JavaScript by calling: site.setSiteProperty(DISPID_AMBIENT_DLCONTROL, new Variant(DLCTL_NO_SCRIPTS)); directly after the WebSite has been created. However, setting this site-property back to NULL, it was not possible to enable JavaScript again. Is this a limitation of the API in SWT or WebBrowser Control? I was reading that you could toggle enablement of JavaScript without the need of re-creating the Browser. Ben Hm reading the MSDN, I think this flag can only be set once and is only respected when the control is created. I guess its not possible to re-enable JavaScript in the running instance. Ben Ok, just asked someone that managed to get this done in Delphi. So appearantly there is a way to control this flag in a running instance. The solution he uses is to call IOleControl.OnAmbientPropertyChange(DISPID_AMBIENT_DLCONTROL) whenever this property changes. Browsing SWT's OLE-Support I was not finding the method in IOleControl. Any plans to add it, or is there a different way in SWT to inform about a change in the ambient properties of a OLE Control? MSDN on that: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/com/html/9ca43723-a14e-4f03-8eec-e10ab34ecb4d.asp Ben You should be able to do this by adding the following to WebSite's ProcessUrlAction method: if (dwAction == 5120 /*0x1400 - URLACTION_SCRIPT_RUN*/) { policy = Browser.URLPOLICY_DISALLOW; } Grant thats exactly what I was looking for, thanks! I owe you a beer (at EclipseCon 2007?) ;) Ben If I'm there then I'll hunt you down. ;-) wow, that's cool. Is there any chance to get similar functionality for Firefox? I think this would be done in mozilla/firefox/etc. by setting the javascript.enabled preference to false. Mozilla.create(...) has some examples of setting preference values. Created attachment 99921 [details]
proposed fix
How about following fix for IE and Mozilla?
It adds SWT.DISABLE_JAVASCRIPT to control whether javascript should be disabled or not.
There is one but:...
In my pretty default environment, by default IE has Javascript enabled whereas Mozilla has it disabled, so style flag for Mozilla does nothing. Further on it'd be good to have SWT.ENABLE_JAVASCRIPT as well :) or instead of flag, add something like Browser.setJavascriptEnabled(boolean).
What are your thoughts on this, SWT Team?
Eclipse and swt are api frozen for 3.4, so this can't be considered until post-3.4. If something like this was to be added it would likely be with new api on Browser rather than a style bit, assuming that a way to do this in Safari exists. However the Mozilla implementation of this functionality is problematic, because Mozilla preferences are shared across all instances using the same profile. So this api would have to be declared as static for this reason, and would imply that one plug-in creating a Browser could turn on/off javascript for all other Browser instances and not-yet-created instances. I don't think this is desirable, so a way to turn off javascript per-instance for Mozilla (and Safari) would be needed before this was considered for inclusion. I'm ok with post-3.4, but you made me sad with Mozilla.... playing further with javascript & IE I see that even if I disable javscript in IE (set security level to High in Internet Options), I'm not able to run scripts in IE, but they run in SWT Browser, thus my setting is ignored. Is this intentional, or IE works this way? I've seen some "Zone" and "Security" stuff in SWT IE implementation, could it be of any use, for example to disable javascript completely in IE and carry this setting to browsers embedded in SWT? The embedded html control asks the embedder (embedder == the IE app or swt) whether these scripts should be run. Setting a security level in IE sets a preference that affects how it answers this, but swt does not look at IE's preference settings like this, so swt's behaviour is not influenced by this setting in external IE. Your second paragraph is asking whether the swt browser should pick up some of IE's preference settings like this, right? It should/can't for some settings like the zone because the value that swt answers is required in order to enable some of eclipse's functionality (WebSite.MapUrlToZone has a comment about this). Trying to inheirit a setting from IE like whether javascipt should run or not would be less drastic, but would uniformly disable functionality relied on by Browser clients using Browser.execute(). I think that for the option of disabling javascript to happen it needs to be settable on a per-Browser basis. Created attachment 101244 [details]
proposed fix
In light of Grant comments, plus considering this bug has security implications specially on Windows with it's buggy IE,
attached is patch with Browser.setJavascriptEnabled(boolean) to enable/disable javascript. It has implementation only for Windows, and throw SWT.NOT_IMPLEMENTED for Mozilla. I'd stay with NOT_IMPLEMENTED for Safari too, unless I have some Safari to test with.
Please consider adding API to disable JavaScript and other potentially dangerous things like applets, activeX etc. for 3.5 (see bug 228608 for details). (In reply to comment #15) > Please consider adding API to disable JavaScript and other potentially > dangerous things like applets, activeX etc. for 3.5 (see bug 228608 for > details). > I second this request, also given that API freeze is soon! Grant, could you post a snippet that shows how to disable ActiveX? I would expect it to be as easy as disabling javascript. Thanks. I've found a way to do this in webkit and mozilla per-instance, so I think this api is addable, some details just need to be decided on. Will follow up here. (In reply to comment #17) > I've found a way to do this in webkit and mozilla per-instance, so I think this > api is addable, some details just need to be decided on. Will follow up here. > Very, very cool. Thanks for considering this. Keeps me away from having to patch SWT for releases :) added setJavascriptEnabled(boolean) api > 20090220 Keeping report open to consider other types of content, and updated title accordingly. Cool! Grant, thanks for looking at this. This bug hasn't had any activity in quite some time. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. If you have further information on the current state of the bug, please add it. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant. |