5.3 Disable Displaying JavaScript in History URLs

Information

This setting controls JavaScript URLs history from being displayed in the history bar.

Rationale:

Various browser elements, even a simple link, can embed javascript: URLs and access the javascript: protocol. The JavaScript statement used in a javascript: URL can be used to encapsulate a specially crafted URL that performs a malicious function.

Impact:

None - This is the default behavior.

Solution

To establish the recommended configuration, set browser.urlbar.filter.javascript to true:

Type about:config in the address bar

Type browser.urlbar.filter.javascript in the filter

Ensure the setting is set as prescribed.

OR

Open the mozilla.cfg file in the installation directory with a text editor

Add the following lines to mozilla.cfg:

lockPref('browser.urlbar.filter.javascript', true);

Default Value:

True

See Also

https://workbench.cisecurity.org/files/4299

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Windows

Control ID: 8c43274557e66b3b4438b5db2e7400c0e74ec143f2398552573967fe694cb158