this post was submitted on 05 Jun 2024
25 points (90.3% liked)

Firefox

17898 readers
111 users here now

A place to discuss the news and latest developments on the open-source browser Firefox

founded 4 years ago
MODERATORS
25
submitted 5 months ago* (last edited 5 months ago) by boredsquirrel@slrpnk.net to c/firefox@lemmy.ml
 

Let be begin by saying: Selectively blocking Javascript is essential for online privacy.

Fundamental idea

  • Javascript is needed for way too many websites to load correctly
  • Websites often dont only use their own Javascript to display their own menus etc. but they load tons of external Javascript.
  • There is often way more Javascript that you can block than what you need
  • No "privacy browser" can protect you if you dont invest the work of blocking Javascript per origin
  • there are many origins that just serve bullsh*t so you can always block them
  • browser sandboxes, process isolation etc. is only needed because of Javascript or CSS exploits
  • there are hacks that work through CSS only, but they are rare
  • this is why browser isolate every website in a process. They isolate these processes from the system with strict filters and sandboxes

Sum up

Javascript is a technology used to display fancy websites, moving parts, responsive interfaces etc.

It is executed code, in your browser. Unlike normal applications, the code comes from random places on the internet, and is often malicious.

This is why browsers need to be so secure.

Many developers bundle random 3rd party javascript into their website, mostly for capitalist "get some more cents" purposes.

This is what a shitty website looks like (and yes it runs perfectly fine after blocking all that)

This means often: the website, AND the developers of the javascript will both get your personal data.

If you block Javascript, you avoid 99% of security issues, and automatically block most trackers.

Websites cannot place cookies in the browser, if you block javascript!

Some things to know

  • Google reCaptcha is a nasty difference, as it requires many origins at once. NoScript has the "allow all Javascript on this tab" for this purpose
  • some sites may load fine without Javascript, but menus dont work.

Setup of NoScript

Install the Addon and go into its settings.

per site permissions

It has some very loose, "security only" settings, so most of "Big Tech" is trusted by default. If you dont use it, set it to "untrusted".

general settings

Here you can select what "default", "trusted" and "untrusted" do.

Default

  • I change it to "block all". Most websites dont load with the default settings anyways
  • if you set "noscript", websites can see that "your browser does not support Javascript". This may cause them to display a no-js website, but that is really rare.
  • The "noscript" makes you stand out from the crowd very likely. There are other methods to check if you support javascript, like just trying to run it.

Trusted

  • I enable everything but these:
    • ping: pretty shady stuff, thanks @leanleft@lemmy.ml
    • noscript: you support Javascript so not useful
    • LAN: block requests to your local network, should not be needed in most cases
    • unverified CSS: important blocking this is more secure (see above, CSS-only exploits are possible) but drastically slows down the speed of your browser
    • other: better not enable random other Javascript types

Untrusted

  • block everything
  • maybe allow noscript (see above)

See the explanations for all Javascript variants here

Workflow of NoScript

I think the author didnt really consider the implications, so these loose settings make little sense.

NoScript makes most sense for "goodness enumeration". By default, all Javascript is blocked.

At the beginning it may be annoying, but it will become less and less work:

  1. Open a website
  2. It likely doesnt load
  3. Click on the NoScript icon
  4. Set the Javascript of this Website to "trusted"
  5. NoScript automatically reloads the site
  6. maybe: Repeat, you may need to allow CDNs, image hosts etc.

Once you did this to all your commonly visited sites, only new ones will need manual configuration.

This approach becomes less effort over time, unlike badness enumeration, which gets more and more.

(I thought about giving you my 2 years old configuration as a headstart, but it is basically my browsing history. I would be interested in sharing a config on some Git host though, as this makes starting with NoScript way more pleasant)

Background on "badness enumeration"

Adblockers use something called "badness enumeration".

Example of badness enumeration:

  • Adblockers: allow all content to load, block a, b and c ONLY
  • Malware scanners: allow all code to execute, but block hashes a, b, c
  • Some Firewall Blocklists: allow all incoming traffic, but block all IPs coming from Russia

The system is fundamentally flawed, as

  1. The authors of blocklists always need to be perfectly up to date
  2. Once a new malware/site/ad comes out, it will stay unblocked for a while
  3. It assumes every user needs the same
  4. It needs always growing filterlists and malware databases, that get bigger and bigger

Avoid badness enumeration when possible. Btw, NoScript likely also blocks many Ads on websites.

top 10 comments
sorted by: hot top controversial new old
[–] leanleft@lemmy.ml 5 points 5 months ago (1 children)
[–] boredsquirrel@slrpnk.net 3 points 5 months ago

Damn wtf. Good to disable it!

It's definitely more convoluted, but uBlock Origin can also selectively block pretty much anything, really. That being said, whatever tool you use, blocking any third party stuff per default is always a good start, to see how well any given site can work without it. Tells you a lot already

[–] hexagonwin@lemmy.sdf.org 2 points 5 months ago (1 children)

I'm still using uMatrix (actually a nuTensor fork) because of other features. uBO doesn't have the exact same features..

is it possible to block XSS requests and enable cookies for selected domains on NoScript as well?

[–] boredsquirrel@slrpnk.net 1 points 5 months ago

Will look at nuTensor!

XSS requests show a popup and I think you can say "allow always" there. Cookies are not that dangerous if you delete them on close. I mean there are people that never shut down their PCs... but yeah.

[–] sabreW4K3@lazysoci.al -4 points 5 months ago (1 children)

The best tip anyone would ever give you regarding NoScript is not to use it. There's better more modern alternatives.

[–] sjstulga@fosstodon.org 6 points 5 months ago (1 children)
[–] boredsquirrel@slrpnk.net 7 points 5 months ago (1 children)

I know UblockOrigin can do it, but I prefer the simpler UI of NoScript. It is way better to click especially on mobile, has a single popup menu instead of multiple ones.

[–] Truck_kun@beehaw.org 4 points 5 months ago (1 children)

I honestly only know how to 'block all javascript' on uBlock. Selective blocking is less intuitive if available.

NoScript makes it easy, as does uMatrix, to selectively block/allow third party domains. uBlock is great, but I've always found fine-tuned features on it less intuitive.

[–] boredsquirrel@slrpnk.net 1 points 5 months ago

uMatrix is discontinued poorly. It was a very complex but good addon.