Thunderbird has disabled javascript in message content since version 3 [1].
What is upstream's position on disabling javascript in remote content such as RSS by default?

[1] https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Releases/3

Their position hasn't changed, otherwise they would have changed the default for the "javascript.enabled" pref to "false".

"javascript.enabled" is only for the RSS context, whilst the pref for allowing JS in the email context was "javascript.allow.mailnews" - however they completely removed support for JS in the email context (hence also for the "javascript.allow.mailnews" pref itself) starting with Thunderbird 3, so it cannot be enabled for emails even if the user wanted to.

General packaging policy in Arch is to stick with what upstream provides. Everyone is free to make their own local modifications

@MichelKoss1: Whilst in general, I agree with that position, there is precedent where Arch ships a different configuration than upstream's default. The most well-known example for this is probably the imagemagick package, which disables support for PostScript by default:

https://git.archlinux.org/svntogit/packages.git/tree/trunk/IM7-GS-policy.patch?h=packages/imagemagick#n7

Also, note that this is not a compile-time option, but just a changed default setting which users can still change back to Mozilla's default if they so please.

I'm aware, imagemagick maintainer is questioning that: https://bugs.archlinux.org/task/62785#comment179558

Users who don't like mozilla default can change it right now as well.

Upstream's questionable attitude towards IT security shouldn't be an excuse to ship packages with an inherently insecure default configuration.

You may want to have a look at Mozilla's security advisories for Thunderbird:

https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird60.7.2

Of the 11 security advisories from Thunderbird 60.0 to 60.7.2, there has only been a single one (MFSA2019-17 for Thunderbird 60.7.1) which fixed security issues that were *not* caused by JavaScript being enabled "in browser or browser-like contexts". *All* of the other 10 security advisories started with the following note:

"In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts."

Almost the same ratio applies to the 10 security advisories for Thunderbird 52.x - only a single one of them (MFSA2017-30 for Thunderbird 52.5.2) didn't come with the above note, but rather with (among others) a "CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin":

https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7846

So at the end of the day, the change that I'm requesting would mitigate the security issues which have been the reason for over 90% of Thunderbird updates over the last two major releases, at the cost of potentially requiring a very small number of users to toggle a single about:config flag once for some very exotic use cases. In fact, of the 41 RSS feeds I'm currently subscribed to, there's only a single one that uses JS at all - and that one isn't even a public/free feed, but just the paid RSS feed of golem.de. And even there, JS is only needed if you actually want to play videos and scroll through picture galleries, whilst the rest of the feed works perfectly fine even without JS.

Well, for people who don't use browser-like context in TB flipping this setting and related security issues are irrelevant. They are relevant for people who use browser-like context but they would have to flip it back to not lose functionality in first place.

So people for whom this mitigation matter the most are ones who will disable it most likely. I think this isn't worth effort from Arch.