Re: [Bug-gnuzilla] Suggestion: JavaScript button

[awakeyet]

"That requires you to actively turn _javascript_ back off."
why are you
 saying "back" off? NoScript blocks everything by default and then you 
simply allow SPECIFIC individual things ONLY that you want to allow as 
you go.

"1. Turn on _javascript_ and reload the page"
"2. Do all your work on that page without loading any new pages"
"3. Turn off _javascript_"

Gosh I have a headache, I'm sorry but have you ever even used NoScript?
I'll just copypast what I said before for simplicity.

NoScript blocks everything by default and then you 
simply allow SPECIFIC individual things ONLY that you want to allow as 
you go.

I never have to turn on all _javascript_, reload, do work, turn it off, reload, and go crazy. NoScript blocks everything, and I simply allow only what I need.


"I don't know what you're talking about. Allowing all _javascript_ is the
*default* setting on most browsers. I'm proposing making *no* _javascript_
execution the default, and only executing all _javascript_ on *particular
pages* when the user requests it."

there are several addons that do this already by blocking _javascript_ and other things by default and allowing you to turn them on ONLY when you need them. 

"Allowing all _javascript_ is the
*default* setting on most browsers."

exactly why people use NoScript. I'm totally serious, look it up just to see its definition. you might be surprised.

"NoScript is too complicated for non-technical users, and it isn't
sufficient anyway."

I have seen people who don't know how to pour a bowl of cereal without the cereal pouring out all over the place and making a huge mess, successfully use NoScript easily. 

 "It only allows you to control what base URLs scripts
can be loaded from. That doesn't work; just about every site that uses
_javascript_ loads at least some of it from an external site, like
ajax.googleapis.com or whatever CDN the site uses."

I have heard that alot of people use NoScript AND RequestPolicy at the same time solving most if not all of those issues. that might be a bit too difficult for you if you don't like NoScript though to be honest. I have seen people catch on to NoScript fairly quick, so practice makes perfect.


"What I am proposing is a *simple* mechanism to temporarily allow script
execution on designated websites *each time* at the push of a button"

"This accomplishes two things:"
"1. It protects these non-technical users from _javascript_-related attacks
somewhat."
"2. It encourages these users to complain to sites that don't work
without _javascript_."

Yea but what does this do that NoScript doesn't already do? 
NoScript blocks everything by default without having to push a button, until you want to unblock SOME specific piece of the _javascript_ on the page. not, *push a button* *all java suddenly allowed*

often I have seen a person allow one piece of _javascript_ on the page and the whole page suddenly works because that was the only piece needed. 99% of the other garbage wasn't even necessary so it stayed blocked. NoScript does a great job of disallowing everything until the user specifically allows specific things.


"The whole point of this is to encourage people who create websites to
make these websites work without _javascript_, rather than just showing a
blank page."

I don't like _javascript_ as much as the next person and I would LOVE for more people to make simpler (complicated is absolutely not always better) _javascript_ free websites, but I think a giant generalized easy for newbies (no offense to newbies) allow all disallow all button is going to cause everyone else who understands how request policy and noscript work huge GIANT headaches.

what you are suggesting is basically a more permanent version of the "temporarily allow all" button in NoScript which is pretty dangerous especially when you're considering that this button will be used by "general non-technical users" or tech newbies if you will, because all they will do is be given a false sense of security by the "magic button of safety" and push it over and over again until it gives them what they want, (letting their favorite page load) something akin to an adult having a very quiet temper tantrum until they get what they want. 

general non-technical users or tech newbies sadly dont understand why icecat or gnu or free open source software (foss) or the free software foundation, or any of us for that matter, - do what we do.

they just don't get it, they are all busy using google to find something to twitter onto their facebook page while posting to the whole world that they ate cereal at exactly 10 in the morning so that the NSA can scribble down in their slave profile notebook "hmmm eats-cer-e-a-l-at-ten-in-th-e-mor-ning-"

adding a feature that gives the blissfully ignorant normal people (again no offense, just saying it like it is) a false sense of security as an excuse to use icecat isn't going to make them safer and is going to give everyone who makes icecat "Go" more work to do.

I rather spend the effort educating newbies and normal people into people who are no longer generalized non-techies, and instead are tech aware and willing to do things the right way. 

give someone a fish and they will beg you for more and maybe starve the next week. teach someone to fish and they will eat forever.







22. Jan 2017 09:42 by address@hidden:

> On 01/22/2017 09:18 AM, address@hidden wrote:
> > forgive me, but in all seriousness, NoScript literally does exactly that
> > if not perhaps even better. that's the "temporarily allow scripts"
> > button in NoScript.
>
> That requires you to actively turn _javascript_ back off. I'm proposing
> that the browser should take care of that for you. So rather than having to:
>
> 1. Turn on _javascript_ and reload the page
> 2. Do all your work on that page without loading any new pages
> 3. Turn off _javascript_
>
> You just do the first step and the browser takes care of everything else.
> > also it's a security risk to temporarily allow ALL _javascript_ and
> > quickly disable it again because that would take away the users ability
> > to control what happens in that short instant. why in the name of god
> > almighty anyone would ever want to create a hole like that is beyond me.
>
> I don't know what you're talking about. Allowing all _javascript_ is the
> *default* setting on most browsers. I'm proposing making *no* _javascript_
> execution the default, and only executing all _javascript_ on *particular
> pages* when the user requests it.
>
> It has to be all _javascript_ requested by the page for it to be
> user-friendly. Just accepting a few of them almost always breaks the
> page more than completely disabling JS would.
> > unbeatable rules: everything disallowed by default, only enable
> > specifically what you want to allow, ONLY WHEN you want to allow it. and
> > that's how NoScript does it.
>
> NoScript is too complicated for non-technical users, and it isn't
> sufficient anyway. It only allows you to control what base URLs scripts
> can be loaded from. That doesn't work; just about every site that uses
> _javascript_ loads at least some of it from an external site, like
> ajax.googleapis.com or whatever CDN the site uses.
>
> What I am proposing is a *simple* mechanism to temporarily allow script
> execution on designated websites *each time* at the push of a button,
> not for technical users, but for general, non-technical users. The user
> can simply be told, "some websites require you to push this button, but
> only push this button if you absolutely must, because it can be a
> security risk". This accomplishes two things:
>
> 1. It protects these non-technical users from _javascript_-related attacks
> somewhat.
>
> 2. It encourages these users to complain to sites that don't work
> without _javascript_.
>
> The whole point of this is to encourage people who create websites to
> make these websites work without _javascript_, rather than just showing a
> blank page. In other words: kill _javascript_. It's a bit of a longshot,
> but it would be much easier to do this than to make a browser that
> actually makes it possible for users to control _javascript_ execution
> properly.
>
> -- 
> Julie Marchant
> https://onpon4.github.io
>
> Protect your emails with GnuPG:
> https://emailselfdefense.fsf.org