X
Tap here to go to the mobile version of the site.
Your Firefox is out of date and may contain a security risk! Upgrade Firefox

Support Forum

Is turning off iFrames via about:config > browser.frames.enabled;false broken in Firefox 23?

Posted

I noticed that Firefox with version 23 removed option to turn OFF JavaScriipt from Tools > Options > Content menu http://www.extremetech.com/computing/163291-firefox-23-finally-kills-the-blink-tag-removes-ability-to-turn-off-javascript-introduces-new-logo

Recent events when allegedly FBI used JavaScript in iframe to exploit bug in Firefox with intentions to uncover identity of users of TOR network encouraged me to play with security settings a bit. More about how FBI exploited Firefox bug to execute malitious JavaScript on users computers: https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html More biased articles can be found in popular media articles. Just google "TOR exploit FBI"

ISSUE:

Symptoms: I noticed that turning iFrames OFF in about:config > browser.frames.enabled;false seems to not be working as expected. Iframes are still shown and JavaScript in them is executed. Doesnt work even after resterting Firefox.

Testing: I used this pages to test iFrames: •https://sites.google.com/site/annuairevin/test-pagehttp://www.w3schools.com/tags/tryit.asp?filename=tryhtml_iframehttp://www.quirksmode.org/iframetest.html

After I turned browser.frames.enabled OFF and restarted I noticed that iFrames are still shown on all 3 pages and JavaScript in them would be executed.

By blocking IFRAMES with NoScript blocking turned ON (you have to turn forbidding IFRAMES on manually in options http://i.imgur.com/7jctoTW.png) I managed to block IFRAMES on google and w3school pages.

!!!Text in iframe "Test page in iframe" on quirksmode test page was still shown even after I have frames turned OFF in about:config and I block all scripts and frames and iframes with NoScript.

If I open same page (http://www.quirksmode.org/iframetest.html) with Opera with iFrames blocked in Preferences, iFrame is not shown at all, browser doesnt even render empty square; but JavaScript in it is executed, if you dont disable JavaScript in Preferences > Advanced. I didnt test Chrome at all.


Possible things that can cause bug: •I am using NoScript 2.6.7, I turned it off and on but it is possible that it is overriding Firefox settings in about:config. when you serach about:config for "frames" there are many settings mentioning frames from NoScript and AdBlockPlus. •AdBlock Plus 2.3.2? Same reason as NoScript. •Fot the first time I noticed Shield in the address bar with "Firefox has blocked content that isnt secure" bubble. http://i.imgur.com/K4FL65n.png. I dont know how long this feature is implemented or what exactly it does, here are some details: https://support.mozilla.org/en-US/kb/how-does-content-isnt-secure-affect-my-safety?as=u&utm_source=inproduct


P.S. Just small remark. If that is true: "Finally, Firefox 23 removes the option to disable JavaScript from the Options pane — and if you had JavaScript turned off, it has been turned back on." There should be some warning when Firefox is updated that JS was turned ON. I think that for me FF updated silently without any messages. OR maybe I blatantly closed some windows, i dont remember well.

Additional System Details

Installed Plug-ins

  • Shockwave Flash 11.8 r800
  • Google Update
  • The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
  • Next Generation Java Plug-in 10.25.2 for Mozilla browsers
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • Battlefield Play4Free Updater
  • VLC media player Web Plugin 2.0.6
  • 5.1.20513.0
  • Adobe PDF Plug-In For Firefox and Netscape 11.0.03
  • Adobe Shockwave for Director Netscape plug-in, version 12.0.2.122
  • RealJukebox Netscape Plugin
  • RealNetworks(tm) RealPlayer Chrome Background Extension Plug-In
  • RealPlayer(tm) HTML5VideoShim Plug-In
  • RealPlayer(tm) LiveConnect-Enabled Plug-In
  • RealPlayer Download Plugin
  • npsitesafety
  • DivX Plus Web Player version 2.2.0.52
  • DivX VOD Helper Plug-in
  • BlackBerry WebSL Browser Plug-In
  • Windows Presentation Foundation (WPF) plug-in for Mozilla browsers
  • DRM Netscape Network Object
  • Npdsplay dll
  • DRM Store Netscape Plugin

Application

  • Firefox 23.0
  • User Agent: Mozilla/5.0 (Windows NT 5.1; rv:23.0) Gecko/20100101 Firefox/23.0
  • Support URL: http://support.mozilla.org/1/firefox/23.0/WINNT/en-US/

Extensions

  • Adblock Plus 2.3.2 ({d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d})
  • Battlefield Play4Free 1.0.96.0 (battlefieldplay4free@ea.com)
  • ChatZilla 0.9.90.1 ({59c81df5-4b7a-477b-912d-4e0fdf64e5f2})
  • Dictionary for the Slovene language 0.1.1.1 (sl@dictionaries.addons.mozilla.org)
  • Firebug 1.11.4 (firebug@software.joehewitt.com)
  • IP Address and Domain Information 1.11.1 (jid0-jJRRRBMgoShUhb07IvnxTBAl29w@jetpack)
  • Live HTTP headers 0.17 ({8f8fe09b-0bd3-4470-bc1b-8cad42b8203a})
  • NoScript 2.6.7 ({73a6fe31-595d-460b-a920-fcc0f8843232})
  • Troubleshooter 1.1a (troubleshooter@mozilla.org)
  • View Cookies 1.10.3 ({8F6A6FD9-0619-459f-B9D0-81DE065D4E21})
  • AVG Do Not Track 12.0.0.2189 ({F53C93F1-07D5-430c-86D4-C9531B27DFAF}) (Inactive)
  • AVG Safe Search 12.0.0.2222 ({1E73965B-8B48-48be-9C8D-68B920ABC1C4}) (Inactive)
  • AVG Security Toolbar 11.1.1.7 (avg@toolbar) (Inactive)
  • DivX Plus Web Player HTML5 <video> 2.1.2.145 ({23fcfd51-4958-4f00-80a3-ae97e717ed8b}) (Inactive)
  • Microsoft .NET Framework Assistant 1.0 ({20a82645-c095-46ed-80e3-08825760534b}) (Inactive)
  • Premiumplay Codec-C 0.72.17 (crossriderapp435@crossrider.com) (Inactive)
  • RealPlayer Browser Record Plugin 15.0.4 ({97E22097-9A2F-45b1-8DAF-36AD648C7EF4}) (Inactive)
  • Skype Click to Call 6.10.0.13089 ({82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}) (Inactive)

Javascript

  • incrementalGCEnabled: True

Graphics

  • adapterDescription: NVIDIA Quadro FX 1400
  • adapterDescription2:
  • adapterDeviceID: 0x00ce
  • adapterDeviceID2:
  • adapterDrivers: nv4_disp
  • adapterDrivers2:
  • adapterRAM: Unknown
  • adapterRAM2:
  • adapterVendorID: 0x10de
  • adapterVendorID2:
  • direct2DEnabled: False
  • direct2DEnabledMessage: [u'']
  • directWriteEnabled: False
  • directWriteVersion: 0.0.0.0
  • driverDate: 11-3-2011
  • driverDate2:
  • driverVersion: 6.14.12.7628
  • driverVersion2:
  • info: {u'AzureCanvasBackend': u'skia', u'AzureFallbackCanvasBackend': u'cairo', u'AzureContentBackend': u'none'}
  • isGPU2Active: False
  • numAcceleratedWindows: 4
  • numTotalWindows: 4
  • webglRenderer: Google Inc. -- ANGLE (NVIDIA Quadro FX 1400)
  • windowLayerManagerType: Direct3D 9

Modified Preferences

  • accessibility.typeaheadfind.flashBar: 0
  • browser.cache.disk.capacity: 358400
  • browser.cache.disk.smart_size.first_run: False
  • browser.cache.disk.smart_size.use_old_max: False
  • browser.cache.disk.smart_size_cached_value: 358400
  • browser.places.smartBookmarksVersion: 4
  • browser.search.useDBForOrder: False
  • browser.startup.homepage_override.buildID: 20130730113002
  • browser.startup.homepage_override.mstone: 23.0
  • browser.zoom.full: False
  • dom.mozApps.used: True
  • dom.w3c_touch_events.expose: False
  • extensions.lastAppVersion: 23.0
  • font.internaluseonly.changed: False
  • keyword.URL: http://www.amazon.com/websearch/ref=bit_bds-p12_serp_ff_us_display?ie=UTF8&tagbase=bds-p12&tag=bds-p12-serp-us-ff-20&tbrId=v1_abb-channel-12_5cec1dc9b30d4f47bb393d31f7ef3787_39_1006_20130807_SI_ff_ab_&query=
  • network.cookie.prefsMigrated: True
  • places.database.lastMaintenance: 1375969557
  • places.history.expiration.transient_current_max_pages: 53637
  • plugin.disable_full_page_plugin_for_types: application/pdf
  • plugin.importedState: True
  • plugin.state.npunity3d: 0
  • privacy.sanitize.migrateFx3Prefs: True
  • security.disable_button.openCertManager: False
  • security.disable_button.openDeviceManager: False
  • security.OCSP.disable_button.managecrl: False
  • storage.vacuum.last.index: 1
  • storage.vacuum.last.places.sqlite: 1374276605

Misc

  • User JS: No
  • Accessibility: No
jscher2000
  • Top 10 Contributor
2357 solutions 20872 answers

Helpful Reply

The documentation I find on browser.frames.enabled is very vague, but I can't see that it does anything currently. Is this a feature you used successfully in an earlier version?

The Mixed [Active] Content Blocker was turned on by default in Firefox 23. That would explain the shield icon. Not sure whether implementing that might have changed how iframes are handled.

Question owner

Thx. I dont know if that feature was working in any time during development. I just found suggestions on google that this is the way to turn off iFrames in Firefox. I didnt see anybody complaining it doesnt work, but also no conformations that is works.