Don Dwiggins wrote:
> "Invasive" Javascript is getting to be a serious problem on the web. I've
> tried just disabling JS completely, but there are too many sites that use
> it for reasonable purposes, and it's not easy to enable it, reload the page,
> and disable it again. (IE makes this easier -- you can have it prompt you
> whenever a page wants to run JS, but it turns out to be a pain; I've sometimes
> had to make a choice several times for a single page.)
>
> I just saw the Configurable Security Policies page, and it looks like a
> promising tool. I'll definitely use the "disable popup" setting. However,
> I'd also like to disable other things. I've read a bit about JS being used
> to "spy" on browser users, and that's an obvious hole (or set of holes) to
> close.
>
> What I'd like to achieve, if possible, is a sort of "80% solution" -- not
> necessarily bulletproofing the browser, but at least giving me a comfortable
> enough feeling to leave JS enabled.
>
> So, does anyone have good suggestions for objects to be restricted, and/or
> information about vulnerabilities that this mechanism won't help with?
>
Look at:
http://www.mozilla.org/projects/security/components/configPolicy.html
