MozillaZine

How to add trusted sites to Mozilla 1.7

User Help for Seamonkey and Mozilla Suite
Deeder
 
Posts: 3
Joined: December 18th, 2005, 6:00 pm

Post Posted December 18th, 2005, 6:07 pm

Hello,

Would you please let me know

how to add trusted sites to Mozilla 1.7?

Thanks in advance,

Deeder

raj_bhaskar

User avatar
 
Posts: 1876
Joined: November 7th, 2002, 3:50 am
Location: Glasgow, Scotland

Post Posted December 19th, 2005, 9:27 am

What do you mean by "add trusted sites". Trusted to do what?

Pim

User avatar
 
Posts: 2153
Joined: May 17th, 2004, 2:04 pm
Location: Netherlands

Post Posted December 19th, 2005, 2:02 pm

That is a Microsoft term used in IE to designate a predefined set of features you can assign to certain sites. You've got "Resticted sites" for sites you don't trust, "Trusted sites" for sites you do, and "Internet" for the default. (Which features are enabled for which category, you can choose yourself: scripting, ActiveX controls, user data persistence, etc. Of course ActiveX controls are enabled in the default setting, but you can disable them if you like.)

Mozilla doesn't have the exact same functionality, but you can choose per site whether you want to store form data, allow cookies, etc.
There is no ActiveX support in Mozilla, so you can't choose whether to enable that or not... most of the other settings are either hard coded (Meta refresh for instance, that's always on) or you can turn them on or off program-wide, not per site (e.g. "Display mixed content").
Groetjes, Pim

Deeder
 
Posts: 3
Joined: December 18th, 2005, 6:00 pm

Post Posted December 19th, 2005, 4:00 pm

Hi Pim,

Thanks for the explanation but I still don't know how to add trusted sites to Mozilla 1.7.

Would you please let me know step-by-step?

Thanks very much,

Deeder

Guest
Guest
 

Post Posted December 19th, 2005, 4:54 pm

Mozilla doesn't trust any of them. That's why the security is better than with IE...

ray2047
 
Posts: 1002
Joined: October 16th, 2003, 11:07 am

Post Posted December 19th, 2005, 5:10 pm

Deeder the bottom line is what you are asking about is an IE feature. Mozilla doesn't have it.
As Always: I may be right. I may be wrong.

Andy Boze

User avatar
 
Posts: 2707
Joined: June 30th, 2005, 9:53 pm
Location: South Bend, IN

Post Posted December 19th, 2005, 5:18 pm

SeaMonkey does support configurable security policies. There is no GUI interface to them, though. See <http://www.mozilla.org/projects/security/components/ConfigPolicy.html>.

yamal

User avatar
 
Posts: 3667
Joined: January 8th, 2004, 9:12 pm
Location: near A'dam

Post Posted December 19th, 2005, 5:24 pm

Basically there is only java and javascript in mozilla.
You should browse with java off, and mozilla is safe enough to have javascript on.
If you still want to put sites in an "environment"then use this;
https://addons.mozilla.org/extensions/m ... on=mozilla

Mike Novack
Guest
 

Post Posted December 19th, 2005, 5:45 pm

Deeder, let me try to explain in a different way

Microsoft IE allows you to specify sites as "trusted" giving the sites in the "trusted" set privledges to do things to your computer. Sites are either "not in the trusted set" (and have certain minimal privledges) or in the "trusted" set and can do pretty much what they like. Microsoft assumed that Windows users could not be bothered to allow strusted sites JUST the specific extra privledges needed for the site to function. It's all or nothing. A site is either trusted or not.

Mozilla, FireFox, etc. don't work in that all or nothing way. You get to specify not that a site is "trusted" but on a case by case basis exactly what extra privledges it will be allowed in the security settings. You get to specify a general sort of rule (say for cookies, that they be session only) but then add to a list the address of a site which you trust to leave a cookie on your machine -- you trust it for THAT << but maybe not for somethign else >> Got the idea?

Unfortunately having choices like that means havig to make choices and learning a little more. The reason one normally lists sites as "trusted" (when using IE) is that for the site to function it needs more than standard privledges and you DO trust the site (say it's your bank's site -- well hell, they've already got your money). Using Mozilla you will need to learn (in each case) WHAT extra privledge you need to grant the site.

Deeder
 
Posts: 3
Joined: December 18th, 2005, 6:00 pm

Post Posted December 19th, 2005, 6:15 pm

Thanks very much to all of you, Ray, Yamal and Mike.

I was totally unaware of this and Mike, you are right, they got it but I don't want to loose it to some net savvy madman.

Deeder

Pim

User avatar
 
Posts: 2153
Joined: May 17th, 2004, 2:04 pm
Location: Netherlands

Post Posted December 20th, 2005, 5:52 am

Mike Novack wrote:Microsoft assumed that Windows users could not be bothered to allow strusted sites JUST the specific extra privledges needed for the site to function. It's all or nothing. A site is either trusted or not.

Mozilla, FireFox, etc. don't work in that all or nothing way.

That's only true for certain features... There are features, such as Javascript, for which the reverse is true: you can turn it on or off in Mozilla globally, but you can't allow Javascript for some sites and disallow it for others. So in this respect, Mozilla is less flexible than IE. (Ehm, unless you install an extension to do this.)

Besides, you can fine-tune the settings for all the security levels in IE, so it's not like you're stuck with a fixed bunch of features at each level.
Depending on your surfing habits, IE might even be more suitable to your needs than Mozilla.

Not that I'd ever prefer IE to Mozilla, but it would have been nice to be able to turn some functionality on/off per website, such as scripting or the restriction of contents displayed in IFRAMEs - just like you can with cookies and form data.
Groetjes, Pim

therube

User avatar
 
Posts: 13906
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted December 20th, 2005, 2:27 pm

but you can't allow Javascript for some sites and disallow it for others

Not so.
That is exactly what NoScript does for you.
It disables JS for (almost) all sites by default, & you allow (whitelist) those sites where you wish to have it enabled.

NoScript - Whitelist JavaScript blocking for a safer Firefox experience! - what is it? - InformAction
http://www.noscript.net/whats
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

Pim

User avatar
 
Posts: 2153
Joined: May 17th, 2004, 2:04 pm
Location: Netherlands

Post Posted December 21st, 2005, 12:01 pm

That's why I said "unless you install an extension to do this"... I've had problems with Noscript though, and uninstalling it wasn't easy, so I'm wary of it.
Groetjes, Pim

unabacus
 
Posts: 4
Joined: November 25th, 2005, 7:04 am
Location: Farnham, UK

Post Posted January 3rd, 2006, 5:52 am

a Security Rant so i don't go mad,

I don't agree with mozilla's over bearing security. to me Mozilla's way of thinking (in security) is killing off a lot of good ideas. Sure a lot of mozilla's other features actually add to the idea pool and before it existed trying to develop sites that were available cross-os / cross-browser was very difficult (Netscape 4.7 - urrghh.) - It's all this that keeps me liking mozilla/FF - but their security model just slowly inches me further up the wall with each silent "uncaught exception: privilege denied" type errors.

I am currently working on an application that allows the user to browse their hard drive and upload photos - now after much research on mozilla's part (IE was straight forward - not amazing but straight forward - mainly because the documentation is easy to find) i now have it working in both IE 6.0 and MOZ FF 1.5 but one of the simplest of things is disabled - i can't view the local image files in mozilla if working from a http:// location - so i can't preview the local photos in mozilla unless i upload them...!

I understand mozilla isn't designed for applications - it is a browser - but imo the desktop software future is in web-applications (the user can use the application, and the people who know what they are doing can look after, maintain and develop the application - no upgrades - no releases - just ever improving globally accessible software) so why are they choking this ability in the name of security. Web Applications are not just pages that are surfed in on, so they don't need the same security restrictions, they need to be able to ask the user if they can do something and then get on and do it.

I know you can sign scripts and get more privileges but that isn't very helpful for developers while developing.

Sure i know that the file:/// access is blocked for certain reasons, so that a website can't determine the user's OS or exploit OS bugs in old file systems - but with the amount of little work arounds and strange privilege requests I've had to make in mozilla to achieve certain things there should just be a carte blanche for certain applications or power sites - where the user has paid for the service and so therefore trusts the site and it's actions - if you buy some software and run that software your computer is at the mercy of that exe, so why is it any different for web-apps.

for the file:/// problem i have researched and made changes to my user.js using "capability.policy" and "checkloaduri" which using the "user_pref" code below should enable this straight forward feature. But it doesn't and the "security.checkloaduri" pref in "about:config" is ignored as well... i think the "security.checkloaduri" pref has been deprecated since 1.5 but then why is it still there in "about:config"? am i missing some hidden pref somewhere else to get this to work?

---

user_pref("capability.policy.policynames", "localfilelinks");
user_pref("capability.policy.localfilelinks.sites", "http://www.unabacus-design.co.uk");
user_pref("capability.policy.localfilelinks.checkloaduri.enabled", "allAccess");

---

The above would be fine for me (if it worked) but tbh i really don't want to have to get all my users to make edits to some hidden away .js file or anything of the like. At least in IE you can just use the GUI to add a trusted site and so even the oldest or slowest computer user can do it if provided with instructions. If you trust a site (especially if this is part of a local intranet or a web-application that my clients have paid for me to develop) then there should be a way to fully trust the site to do what it needs to do - sure this shouldn't be the end of the story like it is in IE, but an overall security switch should exist, it should have a GUI and it should have a damn big warning.

The security should be there by default, IE fails at this - this is not a Mozilla vs IE post - i am just interested in writing good cross-browser powerful applications (i don't care which browsers) but i am frustrated more so by the newest browsers (IE hasn't be altered, as usual, for ages) for having only partial solutions when they have full solutions to similar problems elsewhere. I used to be able to access the "security.checkloaduri" pref via the privilege system automatically (with a prompt to the user):

---

var cl = Components.classes["@mozilla.org/preferences-service;1"];
var prefs = cl.getService(Components.interfaces.nsIPrefBranch);

if(prefs && ( prefs.getBoolPref("security.checkloaduri") == true ) ) prefs.setBoolPref("security.checkloaduri", false);

---

but now that has been removed there is no way of requesting permission from the user. The privilege system works well in doing exactly what you'd want - the js is a bit odd to implement but it pops up and warns the user properly about what the site is going to do, and it allows the choice to be remembered. Why is this not available for all prefs?

The most ridiculous thing is that i can read / write the user's full hard drive but i can't display images... now which do you think it more of a security risk?

Please put me in my place if i have missed something detrimental to my complaint, but if i have missed something i'll post another rant about the confusing documentaion available ;)

Return to SeaMonkey Support


Who is online

Users browsing this forum: No registered users and 2 guests