16
No script help. (lemmy.world)
submitted 4 months ago* (last edited 4 months ago) by ChilledPeppers@lemmy.world to c/privacy@lemmy.ml

Hey guys, I have been seeing a lot of people talking good things about noscript, I have a few questions about it:

  • Why isn't it open source? Is there a open source alternative? To me this kinda feels suspicious, installing an extension that can affect all tabs from outside the Mozzila store, while not even open source...
  • How to minimize damage? After briefly trying it on, I couldn't interact with lemmy anymore, many websites lost their dark mode, youtube wasn't pausing the video, nor was the like button working...
  • Is it really needed? What kind of threat model makes something like that needed? Wouldn't it be possible to just add other sources for uBlock to block tracking scripts or something?
you are viewing a single comment's thread
view the rest of the comments
[-] TootSweet@lemmy.world 10 points 4 months ago* (last edited 4 months ago)

A lot of user fingerprinting techniques rely on JS. Plus, by shutting off JS, you reduce the attack surface of your browser. If, let's say, there was a zero-day vulnerability in Firefox that required JS to exploit, you'd be shutting off that whole means of attack if you blocked all/most JS out there on the internet. Mining cryptocurrencies on your computer via your browser can only be accomplished with the help of Javascript. A lot of forever cookie techniques require Javascript.

uBlock origin is for kindof a different use case. It's for if you're on one website that you don't necessarily suspect of evil dealings that might include buttons (like social media sharing buttons, for instance) or other scripts (like ad displaying scripts or analytics scripts) from third parties that might include evil tracking stuff. If I started a blog on https://theawesomeestblog.com/ and included script from Facebook that puts a share button on my page, and if you then visited my blog, Facebook would know because your browser would make requests from your IP with cookies they'd placed on your brower previously and JS included with the button could very well be used to do additional fingerprinting.

NoScript is for (among other things) when you don't even necessarily trust the website you're purposefully visiting. Like, I don't know if cnn.com mines Bitcoin via JS on users' browsers (and, honestly, it seems a little unlikely to me, I think), but if I disallow JS on cnn.com, then when I click a link in Lemmy to a cnn.com article (and maybe I don't even really know I'm going to cnn.com when I click the link -- it might use a link shortener or something -- or maybe it's not cnn.com, but some reasonably-trustworthy-sounding news-y-sounding domain that I haven't heard of before), I know it's not mining Bitcoin on my machine.

Oh, and as others have said, NoScript is Open Source. Says so right near the top of the home page.

this post was submitted on 07 Jul 2024
16 points (86.4% liked)

Privacy

31995 readers
1305 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS