Micro.blog

mdrockwell
mdrockwell
Trying Firefox on my work laptop. You sure can customize this thing, eh?
mike.rockwell.mx
mcg
mcg

@mdrockwell Containers are one of my favorite Firefox things.

mdrockwell
mdrockwell

@mcg I'm not familiar with it. Is it the add-on for keeping different types of browsing separate? That's what I find when I search. Or is it something else?

mcg
mcg

@mdrockwell Some container functionality is built in but this extension adds more. addons.mozilla.org/en-US/fir...

duncanhart
duncanhart

@mdrockwell Running JavaScript inside PDFs is a bad idea and Mozilla previously disabled it by default. But now with FireFox 88 this option is ENABLED by default. Which means, if a PDF file contains JS it will run without any user interaction. What can possibly go wrong?

To disable this: about:config pdfjs.enableScripting --> false

mdrockwell
mdrockwell

@duncanhart Curious, is there a reason why this would be more dangerous than JavaScript on web pages? Does it have access to more of your machine? Or is there something else that's a cause for concern?

In reply to
duncanhart
duncanhart

@mdrockwell it’s the rendering of the JavaScript in the PDF that’s the problem. The PDF rendering engines are generally very permissive, not well sandboxed and have previously contained well known vulnerabilities (Adobe in particular).

mdrockwell
mdrockwell

@duncanhart cool. I'll disable it the first chance I get. ✌️

duncanhart
duncanhart

@mdrockwell JavaScript is a very rich and expressive language and therein lies the problem with it 😕

mcg
mcg

@duncanhart @mdrockwell FWIW Chrome has rendered JS in PDF’s for a while. Does it increase security risk, maybe. Is it that much different than running JS on a web page, not really. Is it a lot more secure than opening the PDF in Adobe, yes.