How to rein in Javascript in browsers?

Discussion in 'other security issues & news' started by lunarlander, Aug 13, 2020.

  1. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    256
    Javascript is too powerful and too useful to hackers. A simple hack such setting the background color to the text color will render your page unreadable. Javascript can also download and execute malware. Anyway to limit it?
     
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    8,548
    Location:
    Among the gum trees
    NoScript.
     
  3. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    216
  4. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    2,587
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,624
    Location:
    The Netherlands
    Actually you shouldn't worry about this anymore, back in the days it was easy to hack browsers, but not anymore. You should probably only block third party scripts, but you can allow firts party scripts, unless you want to break most websites.
     
  6. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    256
    How do you block 3rd party scripts ?
     
  7. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    2,587
  8. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    751
    Location:
    The Netherlands
  9. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    2,587
  10. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,831
    Location:
    Nicaragua
    Hi lunarlander. I am going to tell you how I control what runs in my browsers with NoScript. Basically, I only allow to run whats needed to get the content I want in pages I visit. That sentence tells exactly how I use NoScript and how I handle content in general when I browse the internet.

    To make things easier and fluent, you create a white list and a blacklist (the blacklist is not really required but I do it because in the long run, it does makes things a lot easier).

    The whitelist. To build the white list, you visit the websites you visit on a regular basis (your bookmarks) and whitelist (Trust) the domains that have to be allowed to run to get the content you want from this websites.. For example, in YouTube, you whitelist the domains that are required to watch videos. In Yahoo mail, you allow all the scripts that are needed for you to interact with the website, send and receive, etc, and nothing else. NoScript will remember the domains you trust, and will allow them to run automatically when you visit this sites in the future. Building the whitelist is important because it reduces the amount of interacting that you do with NoScript. If you do it right, you wont interact with NoScript at all when you navigate your bookmarks.

    The blacklist. By default, all scripts that are not in your whitelist are forbidden to run. So, domains that are not in the whitelist and domains that are set as Untrusted are basically treated the same by NoScript when you visit websites, they will not be allowed to run. The blacklist is a list that you build over time, and should be based on your personal case use. In my opinion, it is better to base it on the type of websites you visit, the type of browsing each individual does. Basically, you include in the blacklist (or, also called Untrusted list), domains that you encounter time and time again while browsing the internet, some of them it seems like they follow you all over the place, and over time, you learn what they are, what they do, and most importantly, you realize that they are not required for running any useful content. You get so familiar with this type of scripts that you learn to identify them just by looking at their names. So, what to do with them? You can leave them be (Remember, they will not run unless you allow them), or set them as Untrusted.

    NoScript has a setting that you can click to Temporarily allow all scripts in a webpage, this setting is useful when you are a beginner or when you visit a website at random. If you get the content you want without having to allow anything, then you don't allow nothing. But if there is content you want, and instead of spending time figuring what to allow and what not to allow, to get things working quickly, you can click to Temporarily allow the page, this would give you the content. When you do this (Temporarily allow a webpage), the Blacklist becomes very helpful, the reason being that domains that are included in the blacklist, will not be allowed to run when you temporarily allow a webpage. This is the main reason for creating the Blacklist.

    I am going to finish here, by telling you two final thoughts. One, in the 11 years I have used NoScript, I never seen anything that looks like malware, or anything suspicious running when browsing. If you use NoScript, and become an advanced user, you ll be using NoScript for cleaning the waters of the internet, the sharks of the internet will be turned into sardines. :)

    And last, congratulations for looking at controlling the content that runs in the webpages you visit. The benefits are immense. Doing this is not only good for security. The main reason I use NoScript is for cleaning the internet, to make it usable. Some say that it breaks the internet but if you learn how to use this type of programs, its the opposite. At the beginning is a little difficult, you have to learn the program and make sense of it, but if at the beginning you take a no non sense attitude about it, after a while, the program will start clicking and all things will suddenly make sense. And perhaps, you ll go WOW, is so easy.

    Bo
     
    Last edited: Aug 17, 2020
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,817
    Location:
    U.S.A. (South)
    I long already use UBlock Origin but when I activate NoScript it turns the lights off on javascript totally.

    In fact I often find I need disable NoScript and just let UBlock assume page handlings coz NoScript knocks em out cold.
     
  12. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,831
    Location:
    Nicaragua
    Thats the idea with NoScript. And what you should want if you are using NoScript. By default, nothing runs.

    Thats point 0, and you go from there and build your whitelist and blacklist. :)

    Bo
     
  13. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    2,587
    ditto. disabling 1st party scripts makes browsing unbearably frustrating.

    @lunarlander
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,817
    Location:
    U.S.A. (South)
    No doubt Sherlock. (only in jest)

    In reality it stops javascript EXACTLY as you say and I do mean Whoa Sally, no go.

    As a greenie to browser bunker supplies, thanks a bunch for letting me know I can line item things.

    See I didn't know this, only that UBlock Origin is my go to and No Script activated is my shut down the nonsense failsafe
     
  15. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    5,831
    Location:
    Nicaragua
    The Set all on this page Temporarily Trusted setting is available to make things easier for beginners. As you become more and more advanced, and as you build your permission lists (White and black list), you ll find yourself less and lesser using that setting and the interaction that you have to do with NoScript in order to make pages give you the content you want becomes almost 0. After a while, if you set things right, is all set and done. No need to fiddle around. Personally, I wouldn't like it if I had to spend time interacting with NoScript every day.
    Many websites work perfectly well without allowing anything to run. In this type of websites, if you are able to get the content you want out of the website, it doesn't make any sense to allow anything to run. And this is what I do in this type of sites, allow nothing.

    I am going to give an example. I read the Washington Post everyday, top to bottom, and visit the site night and day. And don't allow nothing and I still get the content I want. The way I treat the Post, is how I handle websites in general that I visit at random. And a high percentage of websites that are visited at random can be treated the same way, and you are still able to get the content you want.

    Bo
     
  16. lunarlander

    lunarlander Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    256
    I remember a few months back that I got a blackbackground attack.
    Did the attacker spoof the site I was visiting? Is that how it was done? Mind you I did not have any Javascript blocking.
     
    Last edited: Aug 19, 2020
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,624
    Location:
    The Netherlands
    Sorry, I forgot to explain this. For someone who is new to this I suggest a tool like Ghostery, it's good for security and privacy and will not break almost every website like NoScript. Like I said, there's is absolutely no reason to block first party script, browsers have become quite secure. And if you're worried about browser exploits you can simply use a tool like MBAE.

    https://www.techspot.com/downloads/6056-malwarebytes-anti-exploit.html
    https://www.ghostery.com/products/

    Yes exactly, it's pointless. NoScript is only interesting for uber geeks who find it fun to have complete control of script loading, I don't have the time for this stuff, neither do 99% of most people.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.