Allowing only certain sites to use JavaScript: Difference between revisions

From MozillaZine Knowledge Base
Jump to navigationJump to search
(CAPS: JavaScript whitelists and blacklists)
 
 
(10 intermediate revisions by 5 users not shown)
Line 1: Line 1:
: ''This article applies to Firefox and Mozilla Suite''
: ''This article applies to Firefox and Mozilla Suite''


If you prefer to keep [[JavaScript]] turned off but need it for a few sites, you can configure the browser to use a JavaScript site "whitelist."  There is no built-in interface to do this, so you will need to [[Editing configuration | edit user.js]]. You can also edit [[about:config]], but [https://bugzilla.mozilla.org/show_bug.cgi?id=284673 due to a bug], you will not see the changes you've made (though they will take effect).
If you prefer to keep [[JavaScript]] turned off but need it for a few sites, you can configure the browser to use a JavaScript site "whitelist."  There is no built-in interface to do this, but you can use the methods described in this article.
 
==Using the NoScript extension==
 
A user interface for maintaining a site whitelist exists in the [https://addons.mozilla.org/firefox/addon/722/ NoScript] extension. In addition to JavaScript, this extension also allows you to control Flash, Java and other plugins.  For additional  information, see the [http://www.noscript.net NoScript homepage].
 
==Manual configuration==
 
You can manually maintain a JavaScript whitelist by [[Editing configuration | editing the "user.js" file]]. You can alternatively edit [[about:config]], but due to a [https://bugzilla.mozilla.org/show_bug.cgi?id=284673 bug] you will not see the changes you've made (although they will take effect).


In user.js, add the following lines:
In user.js, add the following lines:
Line 15: Line 23:


''(Naturally, you would replace http://www.example.com and http://www.example.net with sites you wanted to whitelist.)''
''(Naturally, you would replace http://www.example.com and http://www.example.net with sites you wanted to whitelist.)''
Note that you need to have JavaScript enabled when you use these preferences, because disabling it will override these settings.


Similarly, you can create a JavaScript site "blacklist" — that is, allow JavaScript on every site but those you specify. For this behavior, you would add the following lines to user.js:
Similarly, you can create a JavaScript site "blacklist" — that is, allow JavaScript on every site but those you specify. For this behavior, you would add the following lines to user.js:
Line 24: Line 34:
These examples were taken from the [http://www.mozilla.org/projects/security/components/ConfigPolicy.html CAPS documentation].
These examples were taken from the [http://www.mozilla.org/projects/security/components/ConfigPolicy.html CAPS documentation].


==See Also==
You need to restart your browser after editing user.js, otherwise the changes will not take effect.
* [http://www.mozilla.org/projects/security/components/ConfigPolicy.html Configurable Security Policies (CAPS)]
 
==See also==
* [[Security Policies]]
* [[Editing configuration]]
* [[Editing configuration]]
* [[JavaScript]]
* [[JavaScript]]


[[Category:Security and privacy]] [[Category:Configuration (Firefox)]] [[Category:Configuration (Mozilla Suite)]]
==External links==
* [http://www.mozilla.org/projects/security/components/ConfigPolicy.html Configurable Security Policies (CAPS)]
* [https://addons.mozilla.orgfirefox/addon/js-switch/ JS Switch], addon to toggle preference via Tools and/or a toolbar button.
* [http://www.noscript.net/ NoScript - JavaScript Whitelist Extension]
 
[[Category:Privacy and security]]
[[Category:Configuration]]
[[Category:Websites]]

Latest revision as of 20:28, 26 June 2015

This article applies to Firefox and Mozilla Suite

If you prefer to keep JavaScript turned off but need it for a few sites, you can configure the browser to use a JavaScript site "whitelist." There is no built-in interface to do this, but you can use the methods described in this article.

Using the NoScript extension

A user interface for maintaining a site whitelist exists in the NoScript extension. In addition to JavaScript, this extension also allows you to control Flash, Java and other plugins. For additional information, see the NoScript homepage.

Manual configuration

You can manually maintain a JavaScript whitelist by editing the "user.js" file. You can alternatively edit about:config, but due to a bug you will not see the changes you've made (although they will take effect).

In user.js, add the following lines:

user_pref("capability.policy.policynames", "jsok");
user_pref("capability.policy.default.javascript.enabled", "noAccess");
user_pref("capability.policy.jsok.sites", "http://www.example.com");
user_pref("capability.policy.jsok.javascript.enabled", "allAccess");

The line with capability.policy.jsok.sites can have multiple websites separated by spaces, like so:

user_pref("capability.policy.jsok.sites", "http://www.example.com http://www.example.net");

(Naturally, you would replace http://www.example.com and http://www.example.net with sites you wanted to whitelist.)

Note that you need to have JavaScript enabled when you use these preferences, because disabling it will override these settings.

Similarly, you can create a JavaScript site "blacklist" — that is, allow JavaScript on every site but those you specify. For this behavior, you would add the following lines to user.js:

user_pref("capability.policy.policynames", "nojs");
user_pref("capability.policy.nojs.sites", "http://www.example.com http://www.example.net");
user_pref("capability.policy.nojs.javascript.enabled", "noAccess");

These examples were taken from the CAPS documentation.

You need to restart your browser after editing user.js, otherwise the changes will not take effect.

See also

External links