all hail No-Script
|
| Author | Content |
|---|---|
| tuxchick Nov 09, 2010 1:37 PM EDT |
I finally installed No-Script. My happiness is complete. In conjunction with AdBlock Plus it has restored my Web-surfing speeds very nearly to 1999 levels. Life is good! ps-- good little Lxerers allow the ads on LXer.com, they're not obnoxious. |
| jdixon Nov 09, 2010 1:56 PM EDT |
> I finally installed No-Script... What took you so long? No-Script and AdBlock Plus are the two essentials of web browsing. |
| bigg Nov 09, 2010 2:05 PM EDT |
> good little Lxerers allow the ads on LXer.com, they're not obnoxious. I allow ads on most sites, unless they have a habit of doing things like playing audio automatically. |
| Scott_Ruecker Nov 09, 2010 2:07 PM EDT |
I use chrome mostly now, just doing that has made the speed of my browsing much much faster regardless of the ads. Which I do allow, but like bigg only if they don't shout at me..;-) |
| tuxchick Nov 09, 2010 2:38 PM EDT |
Same here, I don't block the ads unless they make me. jdixon, sometimes I'm a little slow. and old. |
| jdixon Nov 09, 2010 2:59 PM EDT |
> ...and old. From earlier conversations, I think I've got a few years on you TC. :) And yes, I normally run with No-Script set to allow scripts and turn it on for selected sites rather than the reverse. I also frequently run with Adblock turned off. But there are times and sites for which you just have to have them. |
| Steven_Rosenber Nov 09, 2010 4:18 PM EDT |
Why is Ad Block better than FlashBlock? I just started using the latter ... |
| tracyanne Nov 09, 2010 5:01 PM EDT |
I use NoScript, AdBlock and FlashBlock. Have done for quite a while, which interestingly is probably why I've never been able to understand the complaints about Firefox being slow. |
| Steven_Rosenber Nov 09, 2010 5:02 PM EDT |
@tracyanne That's probably why I find Firefox in OpenBSD so pleasant; no Flash Player available. |
| tmx Nov 09, 2010 7:19 PM EDT |
Adblocks prevents ads from loading, but there are other addons you need to keep your privacy like Ghostery, Better Privacy and GoogleSharing, and disable geolocation in about:config. If you use Chromium 9 you don't need Flashblock because there is a setting that disable plugins from playing unless you click on it. I don't know which alternative is better though, I'm not a hardcore Chromium/Flashblock user. |
| tracyanne Nov 09, 2010 7:53 PM EDT |
I already use GoogleSharing, and geolocation places me at least 400 Kms away from where I actually am. I know this because I've been working on an extension to a client's website that uses Geolocation, so my client can provide a better service for their clients, and naturally I'm using my local machine to test the code. |
| tqk Nov 10, 2010 2:05 AM EDT |
Update: Wouldn't you know it that the morming after enabling all that, my web browser was unable to get to anywhere, so I was concerned they'd broken web surfing! A little fiddling with ping and slrn confirmed connectivity was still there, but my ISP must've been having trouble handling web traffic. A couple of hours later, it's all back to normal and all the crap blocking stuff's working fine. I hate computers. |
| hkwint Nov 10, 2010 3:18 AM EDT |
Maybe it's interesting to have another viewpoint in the thread as well, hence why I'll jump in: I used NoScript for a while and didn't like it at all. It got in the way of browsing the web. Almost one in three pages didn't display properly (even non-JS content) and gave annoying errors. JavaScript is pretty much the future of webpages, whether you want it or not. FlashBlock on the other hand isn't annoying, the only thing is StreetView seems to be crippled when FlashBlock is turned on. The thing is, NoScript has no way of knowing which content is wanted and which isn't, without the user putting lots of efforts in telling so. AdBlock does, because it has nice lists - also blocking some annoying JavaScripts as far as I know. It would be great if NoScript had some kind of whitelist with a voting system and the user being able to set a 'treshold score', but that's probably just dreaming. Nonetheless, I'm pretty sure AdBlock wouldn't be that popular if you had to enter all things to block (or whitelist) yourself manually. IIRC, some years ago you had to, and I didn't enjoy it that much. Also, as far as I know (but I might be uninformed), NoScript isn't very intelligent. For example, it might be interesting to just block 'alerts' and functions which try to change window size, mouseovers (XSS attack, ahem), pop new windows up and such. So, more selectively blocking certain functions of JavaScript may be interesting. I know most vulnerabilities in the browser nowadays are because of Javascript (if we ignore Flash for a moment), I care, and still I don't use NoScript, because it's "all or nothing"-mentality. |
| tracyanne Nov 10, 2010 7:27 AM EDT |
Quoting:I don't use NoScript, because it's "all or nothing"-mentality. There are other javascript blockers that are finer grained, I just prefer NoScript, because it is all or nothing, 90+% of the time I prefer nothing. |
| ComputerBob Nov 10, 2010 8:14 AM EDT |
Quoting:I just prefer NoScript, because it is all or nothing, 90+% of the time I prefer nothing.+1 I've been using NoScript and AdBlock Plus on all of my PCs for years -- ever since my Windows days. NS lets me whitelist any site that I trust with just one click. I hate to browse without both of of those addons. |
| jacog Nov 10, 2010 8:59 AM EDT |
I'll stick to using Javascript for development, thanks. It allows development of far more efficient pages. If for example a user clicks "delete" on an item in a list - I could either reload the whole page as the requests is submitted, making a bajillion http requests as the images/css/js etc. load, or I could just send a single request without reloading the whole page. One http request, one response, the deleted item vanishes, the user's browsing experience uninterrupted. And security issues with Javascript tend to be related to sites that allow users to post javascript to the site into places where the code can be executed. I'll blame bad server-side code for any javascript-related isses. |
| cr Nov 10, 2010 9:10 AM EDT |
Adding FlashBlock to the mix is good too. Having yet another layer between your computer and a site that wants to gift you with an evercookie is A Good Thing. That way, even if you "allow xxxx.com" to get the browsing job done, flash-cookies still won't stick. You can't always avoid sites that are prone to hurl their cookies... |
| ComputerBob Nov 10, 2010 9:13 AM EDT |
Mmm... warm, fresh cookies. |
| mrider Nov 10, 2010 1:10 PM EDT |
@jacog: How about you design your page so that it does a reload, and then afterward add J.S. such that the reload isn't necessary? It's really not that hard, simply replace the POST with your J.S call. Then it works without J.S. and you get the benefit of both worlds. Also, you cut out a lot of potential users when your site won't work without J.S. Probably the easiest way to make sure your site is handicap accessible (for want of a better term), is to make sure there's a straight HTML/CSS version available. To continue the conversation, I like No-Script because it helps prevent surprises. Places that I like and trust are white-listed. However I feel safe clicking random links because almost certainly the place that I'm going will not be white listed. If the page doesn't work at all, then I decide whether or not to start temporarily white-listing specific domains. Yeah it's not perfect, I might allow a site that I shouldn't have. But at least it's not an instant thrashing of my computer. |
| tracyanne Nov 10, 2010 5:03 PM EDT |
I also set Firefox to make all cookies session cookies only. In privacy Keep cookies until I close Firefox. |
| hkwint Nov 10, 2010 7:42 PM EDT |
Currently, as a hobby, this JS-noob is trying to program a webapp. Won't be big and professional as I even can't code my way out of a paper bag, you know, but anyway. However, if people haven't turned on JS, it's pretty unusable, ahem. But thanks for letting me know there are more JS blockers. The sad thing is, I (and lots of other users) do care about / are afraid of JS exploits in the browser, but have too less knowledge of JS to put a more selective blocker in place that only blocks 'hazards'. Luckily, FF nowadays blacklists certain websites which are known to be malicious, there's NoFlash and AdBlock. Mozilla is also working on more XSS-prevention, though I don't know the current status; if it's already included in the browser I'm using ATM (FF4b nightly) or not. https://wiki.mozilla.org/Security/CSP#Goals |
| gus3 Nov 10, 2010 9:40 PM EDT |
Quoting:FF nowadays blacklists certain websites which are known to be maliciousNot quite. FF queries Google before the first page view from a domain. I disable this feature: Edit/Preferences, click "Security", then un-check "Block reported attack sites". I don't want Google tracking me through FF any more than I want them tracking me through Chrome. |
| ComputerBob Nov 11, 2010 12:07 AM EDT |
Quoting:I disable this feature:Same here. |
| jacog Nov 11, 2010 3:33 AM EDT |
@mrider You assume I am an amateur. :/ I always try to build with the principle of incremental improvement. The markup is perfectly javascript-free, and then the extra functionality is applied afterwards. So no, I am not cutting off any users thankyouverymuch. |
| mrider Nov 11, 2010 3:00 PM EDT |
@jacog: No, no. I assume nothing, I simply say that in response to what sounded like you saying that your pages depend on scripting, as opposed to using scripting. I'm glad to hear you do it "properly". Good on you! |
| hkwint Nov 11, 2010 8:19 PM EDT |
gus3: Here's what they say: http://www.mozilla.com/firefox/phishing-protection/ As far as I can tell: FF only "specifically" queries Google whenever you hit a site that was already blacklisted. That blacklist is fetched from Google by means of a "general" query. Google my try to read your cookies though, so I think if you hit a blacklisted site they can link that site to other behaviour they collected from you. I try mitigate this issue by using Google Sharing. Disabling is not a good idea in my opinion, I'm pretty sure malicious sites will have less respect for my privacy and than Google. Beyond, to Google - the data about me is only valuable as long as it's not shared with the whole world. |
| ComputerBob Nov 12, 2010 9:20 AM EDT |
Quoting:Disabling is not a good idea in my opinion, I'm pretty sure malicious sites will have less respect for my privacy and than Google.Nit-picking, IMO. I don't trust Google to have any more respect for my privacy than malicious sites do. |
You cannot post until you login.