Jesse Ruderman Reporter
	Description • 18 years ago

JavaScript in mail is arguably more dangerous than JavaScript in web pages, because of the possibility of worms when a hole is known.  So dveditz and I think that maybe Thunderbird's Options window should have text discouraging users from enabling JavaScript.

Just relying on most people not opening the Options window, and most people not having a reason to enable JavaScript, might not be sufficient to prevent the spread of worms.  Consider a message that ends with "You must have JavaScript enabled to see the rest of this message", for example.  Or perhaps there are communities where lots of users have JavaScript enabled in mail, and worms could spread within those communities.

	Adam Guthrie
	Comment 1 • 18 years ago

Why not just remove the UI altogether, and maybe have a way to enable JS on a per-message basis?

	Jens Bannmann
	Comment 2 • 16 years ago

As of Thunderbird 2, there is no GUI (besides about:config) anymore.

But I would recommend removing the pref altogether, further reducing the attack surface of Thunderbird - a significant portion of vulnerabilities are purely theoretical until one enables JS in Thunderbird.

What are the legitimate use cases for JavaScript in mail, anyway? How do other mail clients handle this?

	Jens Bannmann
	Comment 3 • 16 years ago

(In reply to comment #2)
> I would recommend removing the pref altogether, further reducing the attack
> surface of Thunderbird - a significant portion of vulnerabilities are purely
> theoretical until one enables JS in Thunderbird.

It seems this will be done some way or another, see bugs 453943 and 453928.