Firefox blocks JavaScript in address bar by default

Martin Brinkmann
Oct 24, 2018
Updated • Oct 24, 2018
Firefox
|
29

Update: it appears that the change has been in Firefox for longer than that. The preference mentioned below will only filter javascript: from pasted code to avoid that these appear in the history and autocomplete. It still appears to allow JavaScript code to be executed when set to false. End

Firefox users who upgraded the web browser to version 63 released in October 2018 may notice that the browser does not accept JavaScript code anymore when entered in the address bar.

Previous versions of the web browser allowed users to write or paste JavaScript code in the address bar to execute it from there. You can try this out yourself by typing javascript:alert("hello world") in the address bar and hitting Enter.

Previous versions of Firefox displayed the Hello World alert when executed but Firefox 63 blocks the execution and redirects the input to the default search engine instead. The same is true for any other JavaScript code that you enter in the address bar.

firefox javascript address bar

You may notice that javascript: is removed when you paste code into the address bar but even if you add it manually, it won't be executed.

Note: The change affects only JavaScript execution in the address bar. It does not impact bookmarklet functionality or the execution of JavaScript in the Developer Tools console.

While most Firefox users probably don't need the functionality, some may have used it for certain useful operations such as killing sticky elements on a page, changing the referrer on the fly or edit any website you come across temporarily.

The Firefox 63 changelog does not mention the change; considering that Mozilla makes hundreds of changes to Firefox, it is clear that it represents only a small portion of changes.

firefox address bar javascript

Thankfully, it is possible to undo the change by changing the value of a preference of the web browser. Here is how that is done:

  1. Load about:config?filter=browser.urlbar.filter.javascript in the Firefox address bar.
  2. You may get a warning page. Accept the warning to continue.
  3. Double-click on browser.urlbar.filter.javascript to change the value of the preference.

A value of True is the default. It means that Firefox blocks JavaScript code in the address bar. A value of False disables the limitation and enables the execution of JavaScript code in the Firefox address bar again.

You can undo the change at any time by repeating the three steps outlined above.

A value of False for the preference restores the functionality. Pasting code works again (javascript: is no longer removed), and code is executed when you hit the Enter-key on the keyboard.

Now You: Did you run JavaScript code from the address bar previously?

Summary
Firefox blocks JavaScript in address bar by default
Article Name
Firefox blocks JavaScript in address bar by default
Description
Firefox users who upgraded the web browser to version 63 may notice that the browser does not accept JavaScript code anymore when entered in the address bar.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Just curious said on October 26, 2018 at 5:21 pm
    Reply

    I am a bit curious what kind of hidden prefixes the address field accepts besides the common https://, FTP:// etc… how about MOZ:// and other secret stuff providing a backdoor… :)

  2. John C. said on October 25, 2018 at 2:08 pm
    Reply

    Martin, thanks very much for clarifying that this change doesn’t affect bookmarklets. I was starting to get all wound up for a nasty criticism of Mozilla again until I read your clarification.

  3. Sören Hentzschel said on October 24, 2018 at 4:14 pm
    Reply

    browser.urlbar.filter.javascript has been implemented and set to true in Firefox 3 Beta 4 nine years ago (!). It took me only a few seconds to check this (use the “blame” feature on searchfox.org). I also tested an old Firefox version from last year and there is – as expected – no difference at all.

    Why do you think anything has changed?

    1. Martin Brinkmann said on October 24, 2018 at 4:30 pm
      Reply

      I ran a test today and JavaScript execution did not work in the address bar. Opened a Firefox 62.0.2 and it worked. The strange thing is, it works on that version of Firefox even if the preference is set to True (the default). Maybe it is a bug?

      1. Tom Hawack said on October 24, 2018 at 4:41 pm
        Reply

        Firefox 63.0 (x64) / Windows 7 (x64)

        Typing javascript:alert(“hello world”) in the urlbar

        browser.urlbar.filter.javascript = true : blocked … normal
        browser.urlbar.filter.javascript = false : blocked as well … surprising

        Seems javascript in urlbar is blocked elsewhere.

      2. manouche said on October 24, 2018 at 9:46 pm
        Reply

        There is nothing surprising.

        JFR → browser.urlbar.filter.javascript

        This pref controls wether ‘javascript:’ URIs are filtered out of autocomplete results.

        Possible values and their effects

        True

        Filter out “javascript:” URLs from appearing in the Location Bar autocomplete dropdown. (Default)

        False

        Allow “javascript:” URLs to appear in the dropdown.

        Do You remember FF3 and the shiny new “awesombar” with addressbar suggestions?

        That’s when the discussion started

        https://bugzilla.mozilla.org/show_bug.cgi?id=417798

        javascript:alert(“There must be some kind of_____________๏̯͡๏_____ way outta here
        Said the joker to the thief
        There’s too much confusion … https://www.youtube.com/watch?v=TLV4_xaYynY“);

      3. John Fenderson said on October 25, 2018 at 12:31 am
        Reply

        @manouche: “Do You remember FF3 and the shiny new “awesombar” with addressbar suggestions?”

        I do! I hated the “awesomebar” then, and I still hate it now.

      4. manouche said on October 25, 2018 at 7:47 am
        Reply

        Ah … I see!

        Is this the reason why you still hate the “awesomebar” now and then?

        http://www.alphr.com/blogs/2009/08/26/porn-collection-put-people-off-upgrading-to-firefox-3

        😇

        For the historians @ ghacks.net: A bit of history about the Mozilla-Update-Refuseniks(отказник)

        https://blog.mozilla.org/metrics/2009/08/24/why-people-dont-upgrade-their-browser-part-ii/

  4. asd said on October 24, 2018 at 3:49 pm
    Reply

    I am still on 62.0.3 and browser.urlbar.filter.javascript is true by default.

    1. Tom Hawack said on October 24, 2018 at 3:56 pm
      Reply

      Whatever the default value of browser.urlbar.filter.javascript and the fact it’s changed or not with FF63, one thing remains :

      browser.urlbar.filter.javascript = true means javascript CANNOT be run from the urlbar
      browser.urlbar.filter.javascript = false means javascript CAN be run from the urlbar

      And this concerns the urlbar only, not bookmarklets.

      I’m not saying you ignore this, asd, only as a reminder :=)

  5. Tom Hawack said on October 24, 2018 at 3:39 pm
    Reply

    Ever since I use Pants’ Ghacks.user.js (and that’s been for a while now), browser.urlbar.filter.javascript is set to true (unusable javascript in the urlbar).

    I do use javascript in bookmarklets, in an optimized environment thanks to the excellent ‘Bookmarklets context menu’ Webextension ( https://addons.mozilla.org/en-US/firefox/addon/bookmarklets-context-menu/ )

    1. Klaas Vaak said on October 24, 2018 at 6:05 pm
      Reply

      @Tom Hawack: thanks for mentioning the extension.

  6. sintapilgo said on October 24, 2018 at 3:38 pm
    Reply

    Firefox doesn’t allow JavaScript in urlbar by default for many many years. Since Fx 4 or something like that. Almost certainly before rapid release.

  7. manouche said on October 24, 2018 at 2:59 pm
    Reply

    I can not confirm your discovering. In my FF 63.0 (64-Bit) the value “browser.urlbar.filter.javascript” is by default set to “true”.
    Occasionally I run bookmarklets and still without any problems in FF 63.0

    Fun facts: I get this

    http://666kb.com/i/dy2tjbvy10szwxjnw.jpg

    popup_overlay on ghacks.net and have to kill the div via devtools first, before I actually can use the bookmarklet.

    1. Martin Brinkmann said on October 24, 2018 at 3:01 pm
      Reply

      Bookmarklets are not affected by the change.

      1. manouche said on October 24, 2018 at 5:41 pm
        Reply

        @Martin Brinkmann

        I got confused by the second image in your article

        https://www.ghacks.net/wp-content/uploads/2018/10/firefox-address-bar-javascript.png

        containing the value of ‘false’ and the surrounding text.

        Just as a reminder:

        /* 0806: disable displaying javascript in history URLs – SECURITY ***/ user_pref(“browser.urlbar.filter.javascript”, true);

        (Source: https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/user.js)

        which is anyway by default the value of ‘true’. There is no need to set this value to ‘false’ — unless someone is desperate to execute JavaScript via the address bar.

        Still I am wondering why someone would try to execute JavaScript code via the address bar, as long as you can open your scratchpad with ‘Shift + F4’, a more comfortable environment for experimenting with JavaScript code.

        You are right in terms of the bookmarklets, they are treated as links.

      2. Klaas Vaak said on October 24, 2018 at 3:12 pm
        Reply

        @Martin Brinkmann: OK, no need to answer my previous reply.

      3. Tom Hawack said on October 24, 2018 at 3:42 pm
        Reply

        Martin was (also) answering Manouche’s comment I guess…

  8. Klaas Vaak said on October 24, 2018 at 2:43 pm
    Reply

    “Kill stickies” still works in FF63 without me having changed anything. Perhaps because I use the portable version?

    1. gwacks said on October 26, 2018 at 5:15 am
      Reply

      Drop that out-dated marklet, try this:
      https://addons.mozilla.org/en-US/firefox/addon/sticky-ducky/

      1. Klaas Vaak said on October 26, 2018 at 9:41 am
        Reply

        @gwacks: Sticky Ducky is supposed to clean the page automatically. I tried it on 1 page (https://www.timeanddate.com/weather/) and the sticky was there, had to clean it with the good ol’ Kill Stickies bookmarklet. So, thanks but no thanks for yet another extension, and one that does not even work.

    2. Martin Brinkmann said on October 24, 2018 at 2:47 pm
      Reply

      Did you copy the code in Firefox’s address bar or use the bookmarklet?

      1. Klaas Vaak said on October 24, 2018 at 3:11 pm
        Reply

        @Martin Brinkmann: I use the bookmarklet.

  9. Yuliya said on October 24, 2018 at 2:30 pm
    Reply

    Great, I disabled it. I use a script to remove all cookies per domain.
    Speaking of annoying, Firefox 63 and addressbar – I can’t type about:config then press Enter because now Firefox autocompletes the address as “about:config/” which fails to load. I have to press backspace before. And the addressbar selection is now white with pale blue text, instead of blue with white text which makes it difficult to read.

  10. Joe said on October 24, 2018 at 2:23 pm
    Reply

    Two very, very important things to note:

    1. you can still use bookmarklets with javascript (one of the linked Ghacks articles about why you might want to use javascript is about a bookmarklet)

    2. you can still paste javascript into the developer console to execute it (another of the linked Ghacks articles is about using the developer console)

    I was thinking that this was the beginning of the end for javascript bookmarklets, which I use often for sending a webpage to a service (e.g., http://marklets.com/Todoist.aspx). Maybe it still is the beginning of the end, but at least the end seems further away.

    1. Martin Brinkmann said on October 24, 2018 at 2:30 pm
      Reply

      Good points. I added a remark to the article to make that clearer.

  11. Flotsam said on October 24, 2018 at 1:56 pm
    Reply

    I just tried this in FF 62.0.3 and it does nothing other than change javascript:alert(“hello world”) to alert(“hello world”)

    1. Yves Marcoux said on January 6, 2020 at 6:25 pm
      Reply

      I am now using FF 71.0, and even with the option set to false, I cannot run javascript from the address bar.

    2. Martin Brinkmann said on October 24, 2018 at 2:17 pm
      Reply

      Strange, I tried this in Firefox 62.0.2 and JavaScript worked fine in that version. Maybe Mozilla made the change in 62.0.3?

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.