Community
Participate
Working Groups
For obvious reasons, the Internet Explorer is a problem in terms of security. A lot of my users criticise me for embedding the IE into my application. They are used to have Firefox running and usually don't even open the IE at all. A lot of the exploits existing for the IE are based on JavaScript. Therefor I beg for a way to disable JavaScript in the Browser programmatically. MSDN describes a way on their "WebBrowser Customization" site: http://msdn.microsoft.com/workshop/browser/hosting/wbcustomization.asp DLCTL_NO_SCRIPTS flag can be used to disable JavaScript. I was browsing the source of Browser.java in SWT and was surprised to find the flag as a constant. However, its obviousley not yet used. Since I am not an OLE-expert I was unable to write a patch for this purpose. I understand this could be a problematic request, because for other Browsers disabling JavaScript might not even be possible at all. So, maybe have a new SWT hint to pass into the Browser creation, only supported on windows? Otherwise, I would also greatly appreciate some pointers on how to patch the existing Browser to understand the DLCTL_NO_SCRIPTS flag :) Thanks, Ben
I found out that its easy to disable JavaScript by calling: site.setSiteProperty(DISPID_AMBIENT_DLCONTROL, new Variant(DLCTL_NO_SCRIPTS)); directly after the WebSite has been created. However, setting this site-property back to NULL, it was not possible to enable JavaScript again. Is this a limitation of the API in SWT or WebBrowser Control? I was reading that you could toggle enablement of JavaScript without the need of re-creating the Browser. Ben
Hm reading the MSDN, I think this flag can only be set once and is only respected when the control is created. I guess its not possible to re-enable JavaScript in the running instance. Ben
Ok, just asked someone that managed to get this done in Delphi. So appearantly there is a way to control this flag in a running instance. The solution he uses is to call IOleControl.OnAmbientPropertyChange(DISPID_AMBIENT_DLCONTROL) whenever this property changes. Browsing SWT's OLE-Support I was not finding the method in IOleControl. Any plans to add it, or is there a different way in SWT to inform about a change in the ambient properties of a OLE Control? MSDN on that: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/com/html/9ca43723-a14e-4f03-8eec-e10ab34ecb4d.asp Ben
You should be able to do this by adding the following to WebSite's ProcessUrlAction method: if (dwAction == 5120 /*0x1400 - URLACTION_SCRIPT_RUN*/) { policy = Browser.URLPOLICY_DISALLOW; }
Grant thats exactly what I was looking for, thanks! I owe you a beer (at EclipseCon 2007?) ;) Ben
If I'm there then I'll hunt you down. ;-)
wow, that's cool. Is there any chance to get similar functionality for Firefox?
I think this would be done in mozilla/firefox/etc. by setting the javascript.enabled preference to false. Mozilla.create(...) has some examples of setting preference values.
Created attachment 99921 [details] proposed fix How about following fix for IE and Mozilla? It adds SWT.DISABLE_JAVASCRIPT to control whether javascript should be disabled or not. There is one but:... In my pretty default environment, by default IE has Javascript enabled whereas Mozilla has it disabled, so style flag for Mozilla does nothing. Further on it'd be good to have SWT.ENABLE_JAVASCRIPT as well :) or instead of flag, add something like Browser.setJavascriptEnabled(boolean). What are your thoughts on this, SWT Team?
Eclipse and swt are api frozen for 3.4, so this can't be considered until post-3.4. If something like this was to be added it would likely be with new api on Browser rather than a style bit, assuming that a way to do this in Safari exists. However the Mozilla implementation of this functionality is problematic, because Mozilla preferences are shared across all instances using the same profile. So this api would have to be declared as static for this reason, and would imply that one plug-in creating a Browser could turn on/off javascript for all other Browser instances and not-yet-created instances. I don't think this is desirable, so a way to turn off javascript per-instance for Mozilla (and Safari) would be needed before this was considered for inclusion.
I'm ok with post-3.4, but you made me sad with Mozilla....
playing further with javascript & IE I see that even if I disable javscript in IE (set security level to High in Internet Options), I'm not able to run scripts in IE, but they run in SWT Browser, thus my setting is ignored. Is this intentional, or IE works this way? I've seen some "Zone" and "Security" stuff in SWT IE implementation, could it be of any use, for example to disable javascript completely in IE and carry this setting to browsers embedded in SWT?
The embedded html control asks the embedder (embedder == the IE app or swt) whether these scripts should be run. Setting a security level in IE sets a preference that affects how it answers this, but swt does not look at IE's preference settings like this, so swt's behaviour is not influenced by this setting in external IE. Your second paragraph is asking whether the swt browser should pick up some of IE's preference settings like this, right? It should/can't for some settings like the zone because the value that swt answers is required in order to enable some of eclipse's functionality (WebSite.MapUrlToZone has a comment about this). Trying to inheirit a setting from IE like whether javascipt should run or not would be less drastic, but would uniformly disable functionality relied on by Browser clients using Browser.execute(). I think that for the option of disabling javascript to happen it needs to be settable on a per-Browser basis.
Created attachment 101244 [details] proposed fix In light of Grant comments, plus considering this bug has security implications specially on Windows with it's buggy IE, attached is patch with Browser.setJavascriptEnabled(boolean) to enable/disable javascript. It has implementation only for Windows, and throw SWT.NOT_IMPLEMENTED for Mozilla. I'd stay with NOT_IMPLEMENTED for Safari too, unless I have some Safari to test with.
Please consider adding API to disable JavaScript and other potentially dangerous things like applets, activeX etc. for 3.5 (see bug 228608 for details).
(In reply to comment #15) > Please consider adding API to disable JavaScript and other potentially > dangerous things like applets, activeX etc. for 3.5 (see bug 228608 for > details). > I second this request, also given that API freeze is soon! Grant, could you post a snippet that shows how to disable ActiveX? I would expect it to be as easy as disabling javascript. Thanks.
I've found a way to do this in webkit and mozilla per-instance, so I think this api is addable, some details just need to be decided on. Will follow up here.
(In reply to comment #17) > I've found a way to do this in webkit and mozilla per-instance, so I think this > api is addable, some details just need to be decided on. Will follow up here. > Very, very cool. Thanks for considering this. Keeps me away from having to patch SWT for releases :)
added setJavascriptEnabled(boolean) api > 20090220 Keeping report open to consider other types of content, and updated title accordingly.
Cool!
Grant, thanks for looking at this.
This bug hasn't had any activity in quite some time. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. If you have further information on the current state of the bug, please add it. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant.
