User Help for Seamonkey and Mozilla Suite
14 posts • Page 1 of 1
That is a Microsoft term used in IE to designate a predefined set of features you can assign to certain sites. You've got "Resticted sites" for sites you don't trust, "Trusted sites" for sites you do, and "Internet" for the default. (Which features are enabled for which category, you can choose yourself: scripting, ActiveX controls, user data persistence, etc. Of course ActiveX controls are enabled in the default setting, but you can disable them if you like.)
Mozilla doesn't have the exact same functionality, but you can choose per site whether you want to store form data, allow cookies, etc.
There is no ActiveX support in Mozilla, so you can't choose whether to enable that or not... most of the other settings are either hard coded (Meta refresh for instance, that's always on) or you can turn them on or off program-wide, not per site (e.g. "Display mixed content").
Mozilla doesn't trust any of them. That's why the security is better than with IE...
Deeder the bottom line is what you are asking about is an IE feature. Mozilla doesn't have it.
As Always: I may be right. I may be wrong.
SeaMonkey does support configurable security policies. There is no GUI interface to them, though. See <http://www.mozilla.org/projects/security/components/ConfigPolicy.html>.
If you still want to put sites in an "environment"then use this;
https://addons.mozilla.org/extensions/m ... on=mozilla
Deeder, let me try to explain in a different way
Microsoft IE allows you to specify sites as "trusted" giving the sites in the "trusted" set privledges to do things to your computer. Sites are either "not in the trusted set" (and have certain minimal privledges) or in the "trusted" set and can do pretty much what they like. Microsoft assumed that Windows users could not be bothered to allow strusted sites JUST the specific extra privledges needed for the site to function. It's all or nothing. A site is either trusted or not.
Mozilla, FireFox, etc. don't work in that all or nothing way. You get to specify not that a site is "trusted" but on a case by case basis exactly what extra privledges it will be allowed in the security settings. You get to specify a general sort of rule (say for cookies, that they be session only) but then add to a list the address of a site which you trust to leave a cookie on your machine -- you trust it for THAT << but maybe not for somethign else >> Got the idea?
Unfortunately having choices like that means havig to make choices and learning a little more. The reason one normally lists sites as "trusted" (when using IE) is that for the site to function it needs more than standard privledges and you DO trust the site (say it's your bank's site -- well hell, they've already got your money). Using Mozilla you will need to learn (in each case) WHAT extra privledge you need to grant the site.
Besides, you can fine-tune the settings for all the security levels in IE, so it's not like you're stuck with a fixed bunch of features at each level.
Depending on your surfing habits, IE might even be more suitable to your needs than Mozilla.
Not that I'd ever prefer IE to Mozilla, but it would have been nice to be able to turn some functionality on/off per website, such as scripting or the restriction of contents displayed in IFRAMEs - just like you can with cookies and form data.
That is exactly what NoScript does for you.
It disables JS for (almost) all sites by default, & you allow (whitelist) those sites where you wish to have it enabled.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:188.8.131.52) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
That's why I said "unless you install an extension to do this"... I've had problems with Noscript though, and uninstalling it wasn't easy, so I'm wary of it.
a Security Rant so i don't go mad,
I don't agree with mozilla's over bearing security. to me Mozilla's way of thinking (in security) is killing off a lot of good ideas. Sure a lot of mozilla's other features actually add to the idea pool and before it existed trying to develop sites that were available cross-os / cross-browser was very difficult (Netscape 4.7 - urrghh.) - It's all this that keeps me liking mozilla/FF - but their security model just slowly inches me further up the wall with each silent "uncaught exception: privilege denied" type errors.
I am currently working on an application that allows the user to browse their hard drive and upload photos - now after much research on mozilla's part (IE was straight forward - not amazing but straight forward - mainly because the documentation is easy to find) i now have it working in both IE 6.0 and MOZ FF 1.5 but one of the simplest of things is disabled - i can't view the local image files in mozilla if working from a http:// location - so i can't preview the local photos in mozilla unless i upload them...!
I understand mozilla isn't designed for applications - it is a browser - but imo the desktop software future is in web-applications (the user can use the application, and the people who know what they are doing can look after, maintain and develop the application - no upgrades - no releases - just ever improving globally accessible software) so why are they choking this ability in the name of security. Web Applications are not just pages that are surfed in on, so they don't need the same security restrictions, they need to be able to ask the user if they can do something and then get on and do it.
I know you can sign scripts and get more privileges but that isn't very helpful for developers while developing.
Sure i know that the file:/// access is blocked for certain reasons, so that a website can't determine the user's OS or exploit OS bugs in old file systems - but with the amount of little work arounds and strange privilege requests I've had to make in mozilla to achieve certain things there should just be a carte blanche for certain applications or power sites - where the user has paid for the service and so therefore trusts the site and it's actions - if you buy some software and run that software your computer is at the mercy of that exe, so why is it any different for web-apps.
for the file:/// problem i have researched and made changes to my user.js using "capability.policy" and "checkloaduri" which using the "user_pref" code below should enable this straight forward feature. But it doesn't and the "security.checkloaduri" pref in "about:config" is ignored as well... i think the "security.checkloaduri" pref has been deprecated since 1.5 but then why is it still there in "about:config"? am i missing some hidden pref somewhere else to get this to work?
The above would be fine for me (if it worked) but tbh i really don't want to have to get all my users to make edits to some hidden away .js file or anything of the like. At least in IE you can just use the GUI to add a trusted site and so even the oldest or slowest computer user can do it if provided with instructions. If you trust a site (especially if this is part of a local intranet or a web-application that my clients have paid for me to develop) then there should be a way to fully trust the site to do what it needs to do - sure this shouldn't be the end of the story like it is in IE, but an overall security switch should exist, it should have a GUI and it should have a damn big warning.
The security should be there by default, IE fails at this - this is not a Mozilla vs IE post - i am just interested in writing good cross-browser powerful applications (i don't care which browsers) but i am frustrated more so by the newest browsers (IE hasn't be altered, as usual, for ages) for having only partial solutions when they have full solutions to similar problems elsewhere. I used to be able to access the "security.checkloaduri" pref via the privilege system automatically (with a prompt to the user):
var cl = Components.classes["@mozilla.org/preferences-service;1"];
var prefs = cl.getService(Components.interfaces.nsIPrefBranch);
if(prefs && ( prefs.getBoolPref("security.checkloaduri") == true ) ) prefs.setBoolPref("security.checkloaduri", false);
but now that has been removed there is no way of requesting permission from the user. The privilege system works well in doing exactly what you'd want - the js is a bit odd to implement but it pops up and warns the user properly about what the site is going to do, and it allows the choice to be remembered. Why is this not available for all prefs?
The most ridiculous thing is that i can read / write the user's full hard drive but i can't display images... now which do you think it more of a security risk?
Please put me in my place if i have missed something detrimental to my complaint, but if i have missed something i'll post another rant about the confusing documentaion available
14 posts • Page 1 of 1
Who is online
Users browsing this forum: No registered users and 1 guest