22 August 2006

Why Javascript is enabled per-default

After a new installation of Liferea the "Disable Javascript" preference is not selected per-default. If a user wants to prevent Liferea from running Javascript content in the item rendering or when browsing inside Liferea he has to switch on the preference explicitely.

From time to time I get a bug report saying something like this "You need to disable it per-default otherwise you will endanger you users". Often the one reporting the "problem" is quite amazed that this obvious problem wasn't "discovered" earlier.

Now these are the reasons why Javascript is explicitely not disabled:
  • Mozilla/Firefox which Liferea embeds (with GtkHTML2 Javascript isn't supported) as a standalone application also comes with Javascript enabled. Many of its users use it this way. And it is not considered a flaw in Mozilla.
  • When embedding Mozilla one can only enable/disable Javascript on a global level. So when disabling Javascript to prevent malicious script content in feed items one also disables Javascript for internal browsing.
  • When displaying parser/filter/download errors Liferea uses Javascript to hide the details until a "Details" link is clicked.
  • Enabling Javascript makes internal browsing more barrier-free.
  • Liferea (v1.1) tries to prevent malicious script content by removing it from feed items. While this is still work in progress it already catches a lot of the script insertion scenarios.
Of course you can always patch the default gconf schema of Liferea to install with Javascript disabled.

No comments: