Life without Javascript

I see you went for my approach.

And like I said earlier in the thread, I´ve chosen to run in "standard mode", with "top level domains" always enabled. This will break some sites, but I rather have this than slow loading web-pages. When stuff must work I choose "globally enable all".

 

I actually have multiple approaches implemented in different browsers on different computers. It is nice to know that javascript can be disposed of entirely in the majority of cases, especially when it comes to written content. Apart from using up bandwidth unnecessarily, it is also a real security risk and default deny is the best security strategy. It is just classic security applied to javascript. A webpage, just like a piece of software, is only allowed the privileges it it needs to function. An unknown webpage is just given basic access to the browser and if it needs elevated privileges, that is granted on a case by case basis. Only known and trusted sites that require it are allowed full script running privileges and that doesn't apply to outside domains that supply content to a page on that site.

 

@ MisterB

Same over here, besides speeding things up, it´s also good for security, especially with the "malvertising" risk. And the cool thing about Opera (with Presto) is that you can quickly disable Javascript per site, because a lot of sites work just fine without scripting.

http://www.proofpoint.com/products/targeted-attack-protection/malvertising-protection.php

 

I managed to use Wilders Security Forums without activating javascript at all. As long as I can remember the BB codes, it is doable. Now I have even less (which already not many) places where I must enable active contents. =D

Not that I'm thinking Wilders is going to spread malware or something, I already have backup plans if that would even happen. I just prefer to not enabling javascript when I really really don't have to.

 

Wilders is well behaved. It works well without javascript. It is a little more convenient with it but it works fine without it.

You can enable and disable javascript and subparts of it on a site by site basis in Opera Presto. All these years I've been using it and I never noticed this. The option is brought up by right clicking on a web page and you get a menu. Second from the bottom is "Edit Site Preferences". Javascript is under the "Scripting Tab". I didn't really need a script blocker addon but it is a little easier with a widget in the address bar.

 

@ MisterB and GrafZeppelin

I also disabled JS on Wilders, because I get high CPU usage when typing on this forum. And the "disable JS per site" feature in Opera Presto is awesome. Sometimes sites are slow to load even when scripts are blocked, so it´s best to turn it off completely. Like I said before, a lot of sites will still display correctly.

 

I didn't actually believe that we can upload files with JS off in this website. But it turned out that we can, in Gecko anyway. I am pretty certain that it was not possible in Chrome w/ HTTPSB.

 

How on earth do you guys seriously browse the web with javascript disabled on most sites?? Maybe you are viewing lots of basic text-only sites, but I don't come across too many of those. Even a fairly basic website like theweathernetworkdotcom requires at least some essential js enabled for it to work properly. Two screenshots show it with js fully disabled, while the other one shows it with about 70% enabled. I use httpsb to block selected content. In the one where it's completely disabled I've chosen the link for 7 day forecast and you can see it's not helping much at all. The site is mostly broken, and this is not a rarity in some testing I've done across several of my Favorited sites.

*EDIT*

sorry, I had initially uploaded the wrong image for the js-disabled site.

 

Broken is a relative concept. Most of what is broken is formatting, not essential information conveyed. Most of the broken sites don't convey much real information anyway. Javascript is a serious security risk and uses enormous amounts of bandwidth. A really well designed site should function perfectly well without it. Wilders is a good example.

 

That depends on what the site is for. For instance, Yahoo's sports pages update scores and other game info in real time. I don't know how that would be accomplished without JavaScript or some other interactive element, unless you feel like repeatedly refreshing the page.

Part of the problem today is that many sites pull content from elsewhere, and/or are designed to be modular enough to allow content to be syndicated and shared. Even things like text articles may come from a CDN (content distribution network) domain apart from the webpage.

 

Right, and that's the point I'm trying to get at. The weathernetwork site displays interactive weathermaps for my region which I use a lot because i don't want to bike on my commute in the rain if at all possible. It doesn't work without js. A popular sports website also displays scores that require js, as well as videos that don't display without it. these are just a few examples of many I come across.

And though I agree about the security risks of js, I believe, maybe i'm wrong, it is mostly advertisements on web pages that get injected with a malicious iFrame that are the common risks. Block the ads and that's most of the battle won.

 

View attachment 244470

Not always. My weather site, NOAA, requires Javascript to display the interactive maps, a very useful feature. Below, the site w/o JS enabled, and a message to that effect:



----
rich

 

I actually use that site daily. I just set up a location with JS enabled and then bookmark it. I don't need the interactive map most of the time.

Default deny is the best approach. Just like I don't want just any executable file to have the privilege of running on my system without being vetted, I don't want just any website/domain to be able to run scripts in my browser until it is vetted and if allowing java script isn't absolutely necessary, even after the site is vetted, then I leave it disabled. There are very few sites that are absolutely broken without it and very many that make excessive and annoying use of it. Most news sites are really bad. I get 60 or more blocked scripts on some but I can still read the content while a lot of annoying things like unwanted video feeds are gone

 

Actually, I have disabled JS only on a couple of my favorite sites. On all other websites I try to block as many scripts as possible. The original plan was to use only Ghostery, but I noticed that it hardly speeds up page loading, so I decided to keep using ScriptKeeper (NoScript for Opera) even though it will (partly) break 50% of all sites.

Some example of sites where I decided to disable JS to speed up loading:

http://www.voetbalzone.nl/
http://www.dailymail.co.uk/home/index.html

 

My approach is the one less secure propably but deals OK with many sites.
1 I install Bluehell Firewall the most quite and light adblocker
2 In NoScript I set all scripts to run globally but in about:config, in noscript.untrusted I add manually Peter Lowe's list of adservers hostnames.
The result most sites work correct and if something missed by Bluehell I untrusted it with NoScript.

 

I like blocking as much as I can without making a site unusable. For example, when I watch a game at goatd.net, my NoScript menu usually looks like in this picture. On this particular day, to stream this game, scripts are loaded from 11 sites but only three are really required to view the game. So those are the only sites that I white list (or allow). For the rest of the sites, five are in my untrusted list and three are not untrusted but are blocked by NoScript. For sites like Wilders, that's a no brainer, I white list wilderssecurity.com. Blocking scripts doesn't have to break the internet.



Bo

 

Considering that I only lurk blogs, forums and image boards I rarely need to interact with NoScript's permissions. So there won't be much problem I encounter when browsing. The worst offender I have is YouTube (or any video hosting sites, they all work kind of similar).

 

Okay I see, thanks!

I'm using HTTPSB as follows:

<a href="https://www.wilderssecurity.com/thre...r-chrome-chromium.356427/page-31#post-2400517">HTTP Switchboard for Chrome/Chromium:</a>

I don't have all of the ad blocking options enabled either, since I find it breaks too much legit content, requiring more of my time to set things right.

 

This discussion is really interesting because I feel that a richly functional, responsive and interesting web (presuming you're not willing to run native applications) requires code to run in the nominally safe and sandboxed browser! I develop in javascript for web applications, and although it's unproductive, it's essential to do what's needed sometimes - the only alternative being if you're prepared to have your server do the whole custom rendering job (as in asp mvc patterns). I guess the browser was never "supposed" to suffer from the level of attack that is being experienced.

My feeling is that many of the issues would be resolved by demanding https for the js code links, and some form of code-signing as you can for regular desktop apps. That would at least allow you to know the source of the app, and construct suitable whitelists based on publisher for example.

For many sites, accepting "good" sources of standard libraries like jQuery, and allowing local site code would be OK, that's all that's needed.

 

I've checked out HTTPSB and at first site it looks too complex for me. And actually, I need to correct myself, I do not only disable JS on favorites sites, but also on some sites that I visit ones in a while. Basically, as soon as I see that sites are slow to load, I disable JS to see if it breaks the site display, if not: cool, if it does: bummer.

Some examples:

http://www.shop2market.com/ ---> Breaks without JS
http://www.fireeye.com/products-and-solutions/ ---> Works even without JS