Firefox blocks JavaScript in address bar by default
Update: it appears that the change has been in Firefox for longer than that. The preference mentioned below will only filter javascript: from pasted code to avoid that these appear in the history and autocomplete. It still appears to allow JavaScript code to be executed when set to false. End
Firefox users who upgraded the web browser to version 63 released in October 2018 may notice that the browser does not accept JavaScript code anymore when entered in the address bar.
Previous versions of the web browser allowed users to write or paste JavaScript code in the address bar to execute it from there. You can try this out yourself by typing javascript:alert("hello world") in the address bar and hitting Enter.
Previous versions of Firefox displayed the Hello World alert when executed but Firefox 63 blocks the execution and redirects the input to the default search engine instead. The same is true for any other JavaScript code that you enter in the address bar.
You may notice that javascript: is removed when you paste code into the address bar but even if you add it manually, it won't be executed.
Note: The change affects only JavaScript execution in the address bar. It does not impact bookmarklet functionality or the execution of JavaScript in the Developer Tools console.
While most Firefox users probably don't need the functionality, some may have used it for certain useful operations such as killing sticky elements on a page, changing the referrer on the fly or edit any website you come across temporarily.
The Firefox 63 changelog does not mention the change; considering that Mozilla makes hundreds of changes to Firefox, it is clear that it represents only a small portion of changes.
Thankfully, it is possible to undo the change by changing the value of a preference of the web browser. Here is how that is done:
- Load about:config?filter=browser.urlbar.filter.javascript in the Firefox address bar.
- You may get a warning page. Accept the warning to continue.
- Double-click on browser.urlbar.filter.javascript to change the value of the preference.
A value of True is the default. It means that Firefox blocks JavaScript code in the address bar. A value of False disables the limitation and enables the execution of JavaScript code in the Firefox address bar again.
You can undo the change at any time by repeating the three steps outlined above.
A value of False for the preference restores the functionality. Pasting code works again (javascript: is no longer removed), and code is executed when you hit the Enter-key on the keyboard.
Now You: Did you run JavaScript code from the address bar previously?
I am a bit curious what kind of hidden prefixes the address field accepts besides the common https://, FTP:// etc… how about MOZ:// and other secret stuff providing a backdoor… :)
Martin, thanks very much for clarifying that this change doesn’t affect bookmarklets. I was starting to get all wound up for a nasty criticism of Mozilla again until I read your clarification.
browser.urlbar.filter.javascript has been implemented and set to true in Firefox 3 Beta 4 nine years ago (!). It took me only a few seconds to check this (use the “blame” feature on searchfox.org). I also tested an old Firefox version from last year and there is – as expected – no difference at all.
Why do you think anything has changed?
I ran a test today and JavaScript execution did not work in the address bar. Opened a Firefox 62.0.2 and it worked. The strange thing is, it works on that version of Firefox even if the preference is set to True (the default). Maybe it is a bug?
Firefox 63.0 (x64) / Windows 7 (x64)
Typing javascript:alert(“hello world”) in the urlbar
browser.urlbar.filter.javascript = true : blocked … normal
browser.urlbar.filter.javascript = false : blocked as well … surprising
Seems javascript in urlbar is blocked elsewhere.
There is nothing surprising.
JFR → browser.urlbar.filter.javascript
This pref controls wether ‘javascript:’ URIs are filtered out of autocomplete results.
Possible values and their effects
True
Filter out “javascript:†URLs from appearing in the Location Bar autocomplete dropdown. (Default)
False
Allow “javascript:†URLs to appear in the dropdown.
Do You remember FF3 and the shiny new “awesombar” with addressbar suggestions?
That’s when the discussion started
https://bugzilla.mozilla.org/show_bug.cgi?id=417798
…
javascript:alert(“There must be some kind of_____________à¹Í¡Ì¯à¹_____ way outta here
Said the joker to the thief
There’s too much confusion … https://www.youtube.com/watch?v=TLV4_xaYynY“);
@manouche: “Do You remember FF3 and the shiny new “awesombar†with addressbar suggestions?”
I do! I hated the “awesomebar” then, and I still hate it now.
Ah … I see!
Is this the reason why you still hate the “awesomebar†now and then?
http://www.alphr.com/blogs/2009/08/26/porn-collection-put-people-off-upgrading-to-firefox-3
😇
For the historians @ ghacks.net: A bit of history about the Mozilla-Update-Refuseniks(отказник)
https://blog.mozilla.org/metrics/2009/08/24/why-people-dont-upgrade-their-browser-part-ii/
I am still on 62.0.3 and browser.urlbar.filter.javascript is true by default.
Whatever the default value of browser.urlbar.filter.javascript and the fact it’s changed or not with FF63, one thing remains :
browser.urlbar.filter.javascript = true means javascript CANNOT be run from the urlbar
browser.urlbar.filter.javascript = false means javascript CAN be run from the urlbar
And this concerns the urlbar only, not bookmarklets.
I’m not saying you ignore this, asd, only as a reminder :=)
Ever since I use Pants’ Ghacks.user.js (and that’s been for a while now), browser.urlbar.filter.javascript is set to true (unusable javascript in the urlbar).
I do use javascript in bookmarklets, in an optimized environment thanks to the excellent ‘Bookmarklets context menu’ Webextension ( https://addons.mozilla.org/en-US/firefox/addon/bookmarklets-context-menu/ )
@Tom Hawack: thanks for mentioning the extension.
Firefox doesn’t allow JavaScript in urlbar by default for many many years. Since Fx 4 or something like that. Almost certainly before rapid release.
I can not confirm your discovering. In my FF 63.0 (64-Bit) the value “browser.urlbar.filter.javascript” is by default set to “true”.
Occasionally I run bookmarklets and still without any problems in FF 63.0
Fun facts: I get this
http://666kb.com/i/dy2tjbvy10szwxjnw.jpg
popup_overlay on ghacks.net and have to kill the div via devtools first, before I actually can use the bookmarklet.
Bookmarklets are not affected by the change.
@Martin Brinkmann
I got confused by the second image in your article
https://www.ghacks.net/wp-content/uploads/2018/10/firefox-address-bar-javascript.png
containing the value of ‘false’ and the surrounding text.
Just as a reminder:
/* 0806: disable displaying javascript in history URLs – SECURITY ***/ user_pref(“browser.urlbar.filter.javascript”, true);
(Source: https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/user.js)
which is anyway by default the value of ‘true’. There is no need to set this value to ‘false’ — unless someone is desperate to execute JavaScript via the address bar.
Still I am wondering why someone would try to execute JavaScript code via the address bar, as long as you can open your scratchpad with ‘Shift + F4’, a more comfortable environment for experimenting with JavaScript code.
You are right in terms of the bookmarklets, they are treated as links.
@Martin Brinkmann: OK, no need to answer my previous reply.
Martin was (also) answering Manouche’s comment I guess…
“Kill stickies” still works in FF63 without me having changed anything. Perhaps because I use the portable version?
Drop that out-dated marklet, try this:
https://addons.mozilla.org/en-US/firefox/addon/sticky-ducky/
@gwacks: Sticky Ducky is supposed to clean the page automatically. I tried it on 1 page (https://www.timeanddate.com/weather/) and the sticky was there, had to clean it with the good ol’ Kill Stickies bookmarklet. So, thanks but no thanks for yet another extension, and one that does not even work.
Did you copy the code in Firefox’s address bar or use the bookmarklet?
@Martin Brinkmann: I use the bookmarklet.
Great, I disabled it. I use a script to remove all cookies per domain.
Speaking of annoying, Firefox 63 and addressbar – I can’t type about:config then press Enter because now Firefox autocompletes the address as “about:config/” which fails to load. I have to press backspace before. And the addressbar selection is now white with pale blue text, instead of blue with white text which makes it difficult to read.
Two very, very important things to note:
1. you can still use bookmarklets with javascript (one of the linked Ghacks articles about why you might want to use javascript is about a bookmarklet)
2. you can still paste javascript into the developer console to execute it (another of the linked Ghacks articles is about using the developer console)
I was thinking that this was the beginning of the end for javascript bookmarklets, which I use often for sending a webpage to a service (e.g., http://marklets.com/Todoist.aspx). Maybe it still is the beginning of the end, but at least the end seems further away.
Good points. I added a remark to the article to make that clearer.
I just tried this in FF 62.0.3 and it does nothing other than change javascript:alert(“hello world”) to alert(“hello world”)
I am now using FF 71.0, and even with the option set to false, I cannot run javascript from the address bar.
Strange, I tried this in Firefox 62.0.2 and JavaScript worked fine in that version. Maybe Mozilla made the change in 62.0.3?