|
From: | awakeyet |
Subject: | Re: [Bug-gnuzilla] Suggestion: JavaScript button |
Date: | Wed, 15 Feb 2017 21:02:04 +0100 (CET) |
On 01/22/2017 09:18 AM, address@hidden wrote:forgive me, but in all seriousness, NoScript literally does exactly that
if not perhaps even better. that's the "temporarily allow scripts"
button in NoScript.
That requires you to actively turn _javascript_ back off. I'm proposing
that the browser should take care of that for you. So rather than having to:
1. Turn on _javascript_ and reload the page
2. Do all your work on that page without loading any new pages
3. Turn off _javascript_
You just do the first step and the browser takes care of everything else.also it's a security risk to temporarily allow ALL _javascript_ and
quickly disable it again because that would take away the users ability
to control what happens in that short instant. why in the name of god
almighty anyone would ever want to create a hole like that is beyond me.
I don't know what you're talking about. Allowing all _javascript_ is the
*default* setting on most browsers. I'm proposing making *no* _javascript_
execution the default, and only executing all _javascript_ on *particular
pages* when the user requests it.
It has to be all _javascript_ requested by the page for it to be
user-friendly. Just accepting a few of them almost always breaks the
page more than completely disabling JS would.unbeatable rules: everything disallowed by default, only enable
specifically what you want to allow, ONLY WHEN you want to allow it. and
that's how NoScript does it.
NoScript is too complicated for non-technical users, and it isn't
sufficient anyway. It only allows you to control what base URLs scripts
can be loaded from. That doesn't work; just about every site that uses
_javascript_ loads at least some of it from an external site, like
ajax.googleapis.com or whatever CDN the site uses.
What I am proposing is a *simple* mechanism to temporarily allow script
execution on designated websites *each time* at the push of a button,
not for technical users, but for general, non-technical users. The user
can simply be told, "some websites require you to push this button, but
only push this button if you absolutely must, because it can be a
security risk". This accomplishes two things:
1. It protects these non-technical users from _javascript_-related attacks
somewhat.
2. It encourages these users to complain to sites that don't work
without _javascript_.
The whole point of this is to encourage people who create websites to
make these websites work without _javascript_, rather than just showing a
blank page. In other words: kill _javascript_. It's a bit of a longshot,
but it would be much easier to do this than to make a browser that
actually makes it possible for users to control _javascript_ execution
properly.
--
Julie Marchant
https://onpon4.github.io
Protect your emails with GnuPG:
https://emailselfdefense.fsf.org
[Prev in Thread] | Current Thread | [Next in Thread] |