bug-gnuzilla
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-gnuzilla] Suggestion: JavaScript button

From: Julie Marchant
Subject: Re: [Bug-gnuzilla] Suggestion: JavaScript button
Date: Sun, 22 Jan 2017 09:42:08 -0500 
On 01/22/2017 09:18 AM, address@hidden wrote:
> forgive me, but in all seriousness, NoScript literally does exactly that
> if not perhaps even better. that's the "temporarily allow scripts"
> button in NoScript.

That requires you to actively turn JavaScript back off. I'm proposing
that the browser should take care of that for you. So rather than having to:

1. Turn on JavaScript and reload the page
2. Do all your work on that page without loading any new pages
3. Turn off JavaScript

You just do the first step and the browser takes care of everything else.

> also it's a security risk to temporarily allow ALL javascript and
> quickly disable it again because that would take away the users ability
> to control what happens in that short instant. why in the name of god
> almighty anyone would ever want to create a hole like that is beyond me.

I don't know what you're talking about. Allowing all JavaScript is the
*default* setting on most browsers. I'm proposing making *no* JavaScript
execution the default, and only executing all JavaScript on *particular
pages* when the user requests it.

It has to be all JavaScript requested by the page for it to be
user-friendly. Just accepting a few of them almost always breaks the
page more than completely disabling JS would.

> unbeatable rules: everything disallowed by default, only enable
> specifically what you want to allow, ONLY WHEN you want to allow it. and
> that's how NoScript does it.

NoScript is too complicated for non-technical users, and it isn't
sufficient anyway. It only allows you to control what base URLs scripts
can be loaded from. That doesn't work; just about every site that uses
JavaScript loads at least some of it from an external site, like
ajax.googleapis.com or whatever CDN the site uses.

What I am proposing is a *simple* mechanism to temporarily allow script
execution on designated websites *each time* at the push of a button,
not for technical users, but for general, non-technical users. The user
can simply be told, "some websites require you to push this button, but
only push this button if you absolutely must, because it can be a
security risk". This accomplishes two things:

1. It protects these non-technical users from JavaScript-related attacks
somewhat.

2. It encourages these users to complain to sites that don't work
without JavaScript.

The whole point of this is to encourage people who create websites to
make these websites work without JavaScript, rather than just showing a
blank page. In other words: kill JavaScript. It's a bit of a longshot,
but it would be much easier to do this than to make a browser that
actually makes it possible for users to control JavaScript execution
properly.

-- 
Julie Marchant
https://onpon4.github.io

Protect your emails with GnuPG:
https://emailselfdefense.fsf.org

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]