this post was submitted on 07 Jul 2024
16 points (86.4% liked)

Privacy

31859 readers
313 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
16
No script help. (lemmy.world)
submitted 4 months ago* (last edited 4 months ago) by [email protected] to c/[email protected]
 

Hey guys, I have been seeing a lot of people talking good things about noscript, I have a few questions about it:

  • Why isn't it open source? Is there a open source alternative? To me this kinda feels suspicious, installing an extension that can affect all tabs from outside the Mozzila store, while not even open source...
  • How to minimize damage? After briefly trying it on, I couldn't interact with lemmy anymore, many websites lost their dark mode, youtube wasn't pausing the video, nor was the like button working...
  • Is it really needed? What kind of threat model makes something like that needed? Wouldn't it be possible to just add other sources for uBlock to block tracking scripts or something?
top 3 comments
sorted by: hot top controversial new old
[–] [email protected] 15 points 4 months ago

It is open source and on the Mozilla store, did you get the right one? The idea is that you whitelist the websites you trust so only trusted sites can execute js. A lot of websites have js free alternatives like libreX/Y instead of google. There also is GNU librejs which only disables js that doesn’t show its source code. It being a main component of the tor browser tells you a lot about the threat level it’s for. As I understand it the difference to ublock is that it’s lists are on a “allow all but” basis and noscript is on a “block all but” basis.

[–] [email protected] 10 points 4 months ago* (last edited 4 months ago)

A lot of user fingerprinting techniques rely on JS. Plus, by shutting off JS, you reduce the attack surface of your browser. If, let's say, there was a zero-day vulnerability in Firefox that required JS to exploit, you'd be shutting off that whole means of attack if you blocked all/most JS out there on the internet. Mining cryptocurrencies on your computer via your browser can only be accomplished with the help of Javascript. A lot of forever cookie techniques require Javascript.

uBlock origin is for kindof a different use case. It's for if you're on one website that you don't necessarily suspect of evil dealings that might include buttons (like social media sharing buttons, for instance) or other scripts (like ad displaying scripts or analytics scripts) from third parties that might include evil tracking stuff. If I started a blog on https://theawesomeestblog.com/ and included script from Facebook that puts a share button on my page, and if you then visited my blog, Facebook would know because your browser would make requests from your IP with cookies they'd placed on your brower previously and JS included with the button could very well be used to do additional fingerprinting.

NoScript is for (among other things) when you don't even necessarily trust the website you're purposefully visiting. Like, I don't know if cnn.com mines Bitcoin via JS on users' browsers (and, honestly, it seems a little unlikely to me, I think), but if I disallow JS on cnn.com, then when I click a link in Lemmy to a cnn.com article (and maybe I don't even really know I'm going to cnn.com when I click the link -- it might use a link shortener or something -- or maybe it's not cnn.com, but some reasonably-trustworthy-sounding news-y-sounding domain that I haven't heard of before), I know it's not mining Bitcoin on my machine.

Oh, and as others have said, NoScript is Open Source. Says so right near the top of the home page.

[–] [email protected] 1 points 4 months ago

Any help appreciated :)