×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

NoScript Awarded $10,000

CmdrTaco posted more than 2 years ago | from the useful-little-tools dept.

Security 178

An anonymous reader noted an interesting bit of information about a tool a ton of Slashdot users make use of every day: "NoScript has been chosen as the recipient of the DRG Security Innovation Grant. This is a great honor and a spur to keep making the Web a safer place. I feel the urge to thank the committee for recognizing NoScript as a pioneering force in browser security, and the community of contributors, researchers, translators, beta testers, and loyal users who keep this project alive day after day. The grant will fund the effort to merge the current two development lines, i.e. 'traditional' NoScript for desktop environment."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

178 comments

Should have been a default in browsers from day 1 (5, Insightful)

elrous0 (869638) | more than 2 years ago | (#36811872)

The fact that this ever had to be an *add-on* is just shameful. The fact that IE and Safari still don't have it (or something very similar) is close to criminal. Okay, Chrome has NotScripts [lifehacker.com] , but that apparently requires some weird hacking to use securely.

And, no, the non-default ability to turn *all* scripts on or off isn't even close to the same thing. As the great Jules would say--it's not the same ballpark, not the same league, not even the same sport.

Re:Should have been a default in browsers from day (2, Insightful)

Anonymous Coward | more than 2 years ago | (#36811980)

For safari: Glimmer blocker [glimmerblocker.org] is both an ad blocker and can deny and or rewrite scripts on the fly.

Re:Should have been a default in browsers from day (1)

Anonymous Coward | more than 2 years ago | (#36812072)

The fact that this ever had to be an *add-on* is just shameful.

As long as it's disabled by default. It'd make more sense for Adblock Plus to be integrated by default with ad/privacy lists added. NoScript is still a usability-destroying sledgehammer unfortunately. I haven't been able to find a reason as to why I should keep it installed and endure the headache.

Re:Should have been a default in browsers from day (-1, Troll)

spire3661 (1038968) | more than 2 years ago | (#36812212)

This, exactly. I would rather backup my machine properly and practice safe browsing habits then put up with NoScript's bullshit. Ive read for years people extolling its virtues, but i personally cannot stand the neutered web it presents. Keep your machine patched, keep backups and you wont have to put up with its nonsense.

Re:Should have been a default in browsers from day (3, Interesting)

fast turtle (1118037) | more than 2 years ago | (#36812394)

Well I love the Neutered web experience because I absolutely Hate flash/silverlight and iframes because they've been exploited to many times. As to the usability of a website, I feel that any site that absolutely depends upon flash/silverlight to be usable is one I don't need to visit again. For those business sites like Asus or HP, I've begun filing ADA (american disabilities act) complaints that the websites are no accessible to disabled users (flash doesn't support screen readers - nor does it work worth a damn for those who have even a mild vision impairment).

Hopefully, we'll start seeing companies getting it right by sticking with Standards compliant HTML for their main pages with proper links to the various departments. There is absolutely no reason for a website to depend on anything except HTML for functionality, as it is the lowest common denominator.

Re:Should have been a default in browsers from day (1)

engineerpop (2386170) | more than 2 years ago | (#36812578)

As to the usability of a website, I feel that any site that absolutely depends upon flash/silverlight to be usable is one I don't need to visit again. For those business sites like Asus or HP, I've begun filing ADA (american disabilities act) complaints that the websites are no accessible to disabled users (flash doesn't support screen readers - nor does it work worth a damn for those who have even a mild vision impairment).

There is absolutely no reason for a website to depend on anything except HTML for functionality, as it is the lowest common denominator.

So not only are you trying to tell other web users how to use the web and what they should like, you started acting like an asshole? First of all, did you even contact those companies first, but went immediately send a government complaint? Then you are admitting you aren't even doing it for the disabled people, but only because you don't like Flash within your browsing experience. As a person who's legs don't work that well, it's kinda sad you use disabled people as your personal weapon to get revenge on things you don't like.

Re:Should have been a default in browsers from day (0)

drsmack1 (698392) | more than 2 years ago | (#36812650)

Next stop on the information highway: Nutsville, population: you

Shame on you for mis-using the ADA for your pet peeves. Asshole.

Re:Should have been a default in browsers from day (0)

Anonymous Coward | more than 2 years ago | (#36813472)

It's the law. Grow up, asshole. Dickwad.

Re:Should have been a default in browsers from day (1)

roman_mir (125474) | more than 2 years ago | (#36813874)

For those business sites like Asus or HP, I've begun filing ADA (american disabilities act) complaints that the websites are no accessible to disabled users

- yeah, because for some reason companies must spend time and money building things for corner cases rather than for their main target customer. Government. Is there anything it can do that does not hurt the economy? If it can, I haven't found one example yet so far.

Re:Should have been a default in browsers from day (4, Insightful)

Jah-Wren Ryel (80510) | more than 2 years ago | (#36813944)

Government. Is there anything it can do that does not hurt the economy? If it can, I haven't found one example yet so far.

+5 ironic for writing that on the internet.

Re:Should have been a default in browsers from day (1)

roman_mir (125474) | more than 2 years ago | (#36814020)

+5 ironic for writing that on the internet.

- Oh, yes. Al Gore invented it, while DARPA misused an old packet switching protocol from POTS and mixed it up at tax payers expense with existing communication systems. Or did you think that before DARPA there were no networks? Or that DARPA came up with packet switching out of nothing?

How much innovation is stifled by government intervention into the economy, by mis-allocation of resources, and what would we have today if there was no government intervention and mis-allocation?

No, I don't consider my original comment ironic at all, I consider yours misguided.

Re:Should have been a default in browsers from day (5, Informative)

nabsltd (1313397) | more than 2 years ago | (#36812474)

This, exactly. I would rather backup my machine properly and practice safe browsing habits then put up with NoScript's bullshit. Ive read for years people extolling its virtues, but i personally cannot stand the neutered web it presents.

The whole point of NoScript is to allow you to control whether scripts run on a finer level than the "off/on" that browsers support natively, and it does that easily, with one click per domain.

If you use NoScript to deny scripts globally, then you are using it wrong. Instead, you enable each domain (just once, as NoScript remembers the setting) that you deem safe. This makes browsing much more secure, although you can still be caught if a trusted domain starts serving malware scripts, but it's better than being open to attack from every domain.

Re:Should have been a default in browsers from day (1)

hedwards (940851) | more than 2 years ago | (#36813036)

The point of noscript is to deny scripts globally and then just enable the ones that you deem to be safe. I assume that's what you meant because if you just blacklist domains that you know to be malicious you might as well just send your information directly to the crackers.

Re:Should have been a default in browsers from day (0)

Anonymous Coward | more than 2 years ago | (#36813252)

You'd still be safe even if a domain is hijacked to serve malware if you block dynamic content for trusted sites (JS can execute, but things like flash need to be activated by clicking on the placeholder), I've been doing this for years and don't look back.

Except you have to turn it off everywhere (2)

pavon (30274) | more than 2 years ago | (#36813576)

I tried to use it for a couple months, but more than half of the web-forms on the internet require javascript to submit properly. So I would spend all this time filling out these forms, get to the end, and either nothing happens when you click submit or you get an error. So I disable NoScript for the site, only to have the browser (or the website) clear everything that I just entered into the form, and I have to start over again.

Other sites wouldn't have working menus, others didn't have working links at all. All of this is the fault of bad developers, but regardless of who is to blame, I still have to live with it. JavaScript is too tangled up into the design of most sites to be able to disable it and not have half the web break. It isn't like plugins like flash, where you get a nice segregated box that is disabled, and everything else works like normal.

The only way I could stand to use NoScript was to Allow All, but keep the cross-site scripting protection on.

Re:Should have been a default in browsers from day (0)

Anonymous Coward | more than 2 years ago | (#36813418)

Using noscript is an inconvenience, sure. But restoring from backup is a greater inconvenience. You should keep backups in hopes you'll never have to use them not because you plan to use them regularly. Simply put, I'd rather put more effort into the prevention of problems than coping with them.

I used keep backups so I could reinstall Windows once or twice a year when it became slow and unreliable. I got tired of dealing with Windows being defective. I switched OSes and now I use backups as a "just in case" rather than to facilitate an annual chore.

Re:Should have been a default in browsers from day (0)

Anonymous Coward | more than 2 years ago | (#36813934)

NoScript have a blacklist mode (allows scripts to be run by any site that isn't blacklisted). It isn't enabled by default and it doesn't have en editor in the UI to add or remove sites from the blacklist, but it is easy to add a new site to the blacklist, just click on the NoScript icon in the notification field (is it called that in English?).

The option to turn on blacklist-mode (and off whitelist-mode) is called something like "Allow scripts globally" (sorry if the translation is wrong, I don't have an English language UI). Paired with Adblock Plus (which blocks content based on blacklist you can subscribe to), this give good enough protection (feel free to correct me if I'm wrong!).

The blacklist-mode still give you good protection against a lot of JavaScript attacks (and that might cause trouble on sites with horrible security practises).

Of course, as always, Opera have built in functionality that do this better then NoScript and Adblock. Damn shame I'm not allowed to use Opera by my bank and some other sites.

I would say that 99% of the sites I visit that depend on JavaScript being enabled, shouldn't really depend on JavaScript, they are just coded by lazy people. But unfortunately I do "need" to be able use some of those sites and blacklist-mode is more convenient then whitelist-mode.

Re:Should have been a default in browsers from day (-1, Offtopic)

Anonymous Coward | more than 2 years ago | (#36812146)

I am a professional swimmer, and the rest of my swimming team quite frequently came over to my house to 'cool down' after training. Not trying to brag or anything, but I have a very large pool so it seemed only natural that a lot of the team would come over and hang out frequently. You could think of my pool as my PS3, everyone came over to play in it. Anyways, getting back to the story, one day I had the house to myself so the entire team (about 20 guys) came over for drinks. A few drinks turned into a few dozen drinks, and to make a long story short we all went skinny dipping in my pool. Being the drunk idiots that we were, we were doing lots of stupid things. For instance, the neighbours cat kept hanging around so for no real reason we started splashing it with water just to piss the rank bastard off. The cat was not happy, and it gave me a look that I will never forget. Being drunk, however, meant that I didn't give a shit and I ignored what I can only interpret in hindsight as a stern warning. After an hour or two of skinny dipping with all the boys, and splashing the cat with water whenever it came within 'splashing range', we all decided that we'd had more than enough to drink and decided to call it a night. We all got out of the pool, one by one, butt naked. I don't know why exactly, but all of the team continued to stand around naked for several minutes just chatting after getting out of the pool. It was during this time that I saw the cat approach in the corner of my eye, but I thought nothing of it. "Oh look, its that shit-eating cat again", I thought to myself. I should have known better; a cat never hangs around for no reason. Without warning, the cat suddenly turned its homosexual strut into a sprint and ran straight towards us in all of our naked glory, launching itself into the air as if it had wings. "ARGHHHHHHH" I heard tom yell, "GET IT THE FUCK OFF!!". Without warning, the cat had launched its retaliation for being splashed with water; it had severed Tom's penis off with surgical precision, and had already launched itself onto the next, nearest, dangling penis. Being extremely intoxicated and inebriated, we were defenceless, and within minutes the neighbours cat had attacked, and in some cases consumed, the genitals of half the swimming team. Whilst this was occuring, the cat was purring the entire time; seemingly proud of its counter-strike on our manhood.

If our neighbour had a dog instead of a cat, several men would still have functioning anatomy. Alas, we don't. Conclusion: the OP is lucky to have a dog instead of a cat. It just saved his genitals.

WTF... (1, Troll)

MBC1977 (978793) | more than 2 years ago | (#36812606)

Are you stupid / dumb / bat-shit crazy / or high off of canned air?

What the fuck...does this have to do with NoScripts?

Re:WTF... (0)

Anonymous Coward | more than 2 years ago | (#36812860)

both noscript and the cat cut off your balls.

Re:Should have been a default in browsers from day (4, Informative)

uigrad_2000 (398500) | more than 2 years ago | (#36812354)

Ghostery [ghostery.com] exists for Firefox/Chrome/IE/Safari, and can be taught to behave as noscript.

Re:Should have been a default in browsers from day (2)

phatphoton (2099888) | more than 2 years ago | (#36812936)

I use both. it makes the list of scripts that I should consider considerably shorter and also blocks confusing scripts I may otherwise allow in the process of trying to get a webpage to work. They all make life easier and more secure. Or at least I feel secure knowing so many things that used to happen now are blocked and I still have a usable web browsing experience.

Re:Should have been a default in browsers from day (1)

Pope (17780) | more than 2 years ago | (#36812510)

It was. Netscape up to version 3 had menu items that would turn JavaScript on and off, and images on and off. For NS4 those were buried in the settings dialog, and were therefore not easily switched on the fly.

Re:Should have been a default in browsers from day (2, Informative)

Anonymous Coward | more than 2 years ago | (#36812842)

It was. Netscape up to version 3 had menu items that would turn JavaScript on and off, and images on and off. For NS4 those were buried in the settings dialog, and were therefore not easily switched on the fly.

PrefBar [tuxfamily.org] restores this functionality. Single-click control of images (for those not-necessarily-SFW threads), colors (for that asshat on FailSpace who thought that red on a green background was a good idea), and of course, Javashit, Java, Flash, cookies, referrer-sending, and so on.

Re:Should have been a default in browsers from day (2)

TheRaven64 (641858) | more than 2 years ago | (#36813972)

Safari still has menu items to turn images, JavaScript, and CSS on and off for the current web page. The point of NoScript is to give you a greater level of granularity (i.e. allow just these scripts on this site, but not those) and to make these persist across browsing sessions.

Re:Should have been a default in browsers from day (0)

Anonymous Coward | more than 2 years ago | (#36812696)

The ability to turn all scripts off is the same ballpark, the same league and the same sport. You're forgetting that 98% of people who use these web browsers don't know what a script is.

Re:Should have been a default in browsers from day (1)

jellomizer (103300) | more than 2 years ago | (#36812726)

For a simple reason it isn't installed by default.
Security isn't convenient.
The best security tools make your experience seem like you are warden of a jail house. There is only so much you can do to make them easy. The rest the company will decide not to add because it will make the app too hard to use. Especially if you need to compete with Internet Explorer. Where you need to be more secure and show that it can run all the stuff that IE can.

Re:Should have been a default in browsers from day (1)

Tolkien (664315) | more than 2 years ago | (#36812768)

I think, personally, that the fact that we even need NoScript is shameful.

Re:Should have been a default in browsers from day (1)

Tsingi (870990) | more than 2 years ago | (#36812868)

it's not the same ballpark, not the same league, not even the same sport.

You know, I could use a foot massage.

Re:Should have been a default in browsers from day (0)

Anonymous Coward | more than 2 years ago | (#36813736)

there are some of us who still think browsers shouldn't be scriptable, period. if you want to make an application, release binaries.

Did they also get a grant... (3, Informative)

twocows (1216842) | more than 2 years ago | (#36811906)

Re:Did they also get a grant... (1)

improfane (855034) | more than 2 years ago | (#36811944)

Yes, the author does not have a good track record.

He apologized for it but you do have to wonder. Money blinds.

Re:Did they also get a grant... (1)

melikamp (631205) | more than 2 years ago | (#36813442)

As much as I loved NoScript, I uninstalled it the moment the story broke. But After reading Giorgio's apology [hackademix.net] I was totally convinced that he meant no harm and learned his lesson, so I reinstalled NoScript only a few days later.

Re:Did they also get a grant... (5, Insightful)

Anonymous Coward | more than 2 years ago | (#36812128)

Yes, two fucking years ago the guy made a poor decision in the heat of the moment which he later apologized for. We should definitely crucify him for it forever.

MOD PARENT UP (0)

mdm42 (244204) | more than 2 years ago | (#36812198)

Please.

MOD PARENT DOWN (0)

Anonymous Coward | more than 2 years ago | (#36813544)

...and mod the grandparent up.

Re:MOD SIBLING SIDEWAYS (1)

Anonymous Coward | more than 2 years ago | (#36813628)

... and mod the great-grandparent diagonally.

Re:Did they also get a grant... (5, Insightful)

twocows (1216842) | more than 2 years ago | (#36812284)

It certainly was a while ago and he did apologize (after the backlash), and I agree that we shouldn't hold it against him forever. Still, I tend to be wary of NoScript these days because of it. I'm not sure I would trust someone who abused his position like that with a $10k grant is all. Maybe I'm being unreasonable, but I don't think it's a big leap to think that someone who abused their position for monetary gain once might do so again. And it's definitely something that I think people who use NoScript should know about, old or not.

Re:Did they also get a grant... (3, Interesting)

Baloroth (2370816) | more than 2 years ago | (#36812382)

Maybe not. But, it definitely raises questions about the guy's integrity. And, you can't help but wonder if this hadn't been noticed and created massive outcry, whether he would have apologized at all, or whether he was just imitating large corporations policy of "hope they don't notice, apologize if they do."

Oh yeah, and why one addon is able to make changes to another in Firefox without notifying the user. I haven't used Firefox much (prefer Opera), but is this still possible? If it is, why? Seems like a pretty large security problem. The answer is obviously only to install trusted addons, but if even a major addon like this has a history of doing it, what can you really trust?

Re:Did they also get a grant... (1)

tlhIngan (30335) | more than 2 years ago | (#36812804)

Maybe not. But, it definitely raises questions about the guy's integrity. And, you can't help but wonder if this hadn't been noticed and created massive outcry, whether he would have apologized at all, or whether he was just imitating large corporations policy of "hope they don't notice, apologize if they do."

Who cares about the guy's integrity? After all, NoScript is open-source and isn't that the important part?

If you don't trust the guy, take the latest revision (it's GPLv2+ and the source is in the XPI file), and fork it - isn't that the whole point of open source? Considering we've got LibreOffice forked when Oracle acquired Sun and OpenOffice. I don't see why we can't have FreeNoScript as well.

Don't trust it, fine, but when its usefulness is there and it's open-source, I don't see why a more trusted version can't be created. Heck, I'm surprised no one has created a malware version of NoScript.

Re:Did they also get a grant... (1)

Baloroth (2370816) | more than 2 years ago | (#36813282)

We can. But, unless you, personally, look through the source code, you can't be sure that that is any more trustworthy than the version that already exists. In fact, it might even be less so, if simply because fewer people use it (and, as you say, nothing prevents someone making a malware version and calling it "FreeNoScript"). And frankly, I have little desire in having to do so.

Of course, being open source and popular means that I can usually trust someone to look at it and call out any problems, and I trust most open source sources, but its always possible for it to have malware behavior, and its part of the reason I am wary of ANY addons or extensions at all, though I do use a few in Opera. Extensions just happen to be particularly bad as they are usually done by one or two random people whom I have no particular reason to trust.

Re:Did they also get a grant... (1)

drsmack1 (698392) | more than 2 years ago | (#36812680)

Good thing you are posting anonymously, betcha don't want to get caught again!

Re:Did they also get a grant... (1)

TheVelvetFlamebait (986083) | more than 2 years ago | (#36812688)

Two years! Wow, they practically get a free ride in /. terms! If Microsoft could have had a two year grudge period, back when they did things wrong...

Re:Did they also get a grant... (1)

hedwards (940851) | more than 2 years ago | (#36813064)

If MS had only made one mistake 2 years ago, I doubt very much that we'd be after them to this extent.

Re:Did they also get a grant... (0)

Anonymous Coward | more than 2 years ago | (#36812694)

Yes, not getting $10k is certainly a crucifixion.

Re:Did they also get a grant... (0)

Anonymous Coward | more than 2 years ago | (#36812914)

YMBNH

Once true is always true on the never forgetting Internet.

For example, Linux 2.4 had poor hardware support. This fact makes the following also facts: Linux 3.0 still has poor hardware support, its amazing it works on anything at all. Anyone that does manage get Linux working with their hardware has to patch their Kernel using vi.

This extends to all kinds of useful tactics which you can use to "inform" others about essential truths.

1. State an undeniable fact.
2. Then, state as fact something you would like to be true for the sake of your argument. (Hint it doesn't actually have to be true.)
3. When they try to "correct" you, simply point out how right you are about your first point. This will weaken their resolve since they won't be able to counter your rightness. Remember, the appearance of certainty alone is often enough for a +5 informative.
4. In all caps use either "WOW", "REALLY???", or combine the two for extreme effect. Expressing amazement at an apposing view point is a strong bullet point for any attempt to win the Internet. Often entire arguments can be summed up with those two words.
5. Always state that you have many years of experience (even if the technology isn't that old).
5. Use at least two buzz words associated with article summary especially if they are ambiguous. Then use a buzz word from another reoccurring shashdot discussion. It doesn't have to be relevant, just use it. Sounding technical is the same as sounding certain.

Welcome to the intertubes, dude. Here's your diploma.

Re:Did they also get a grant... (4, Insightful)

Microlith (54737) | more than 2 years ago | (#36812416)

So he has a stupid spat with the guys at AdBlock Plus. So what?

People make stupid mistakes every once in a while. He apologized, and hasn't done anything dumb since. In the meantime, NoScript has continued to be a valuable tool that I add to every Firefox installation I use (well, all once he adds support for Firefox Mobile.)

Re:Did they also get a grant... (1)

interkin3tic (1469267) | more than 2 years ago | (#36813050)

Dude writes one of the most useful extensions ever to most people who uses it, protecting millions, lets the world use it for free, makes one questionable move, apologizes for it a few days later, continues making useful product...

And people act like he's a scumbag.

If you feel hurt by his actions, you get a free year of using noscript. You can use it all you want and don't have to pay him a dime. If you've donated a reasonable amount in the past, you can whine about it. If you were using noscript for free, THEN SHUT THE FUCK UP.

Recognition vs usefulness (4, Interesting)

DeHackEd (159723) | more than 2 years ago | (#36811962)

Does this mean web designers will start making their web sites actually work when users without javascript try to use them?

(The list of offenders is too long to name.)

Re:Recognition vs usefulness (2)

betterunixthanunix (980855) | more than 2 years ago | (#36812014)

How dare you speak that kind of blasphemy against web 2.0! Do you not see how using javascript for everything is improving the user experience and making the world a better place?!

Re:Recognition vs usefulness (0)

Anonymous Coward | more than 2 years ago | (#36812042)

Why should they? JavaScript, while being a fairly unpleasant language to write, is extremely helpful for making useful, clean, modern websites. It just can't be done without AJAX.

Looking at static pages and using traditional forms is cute, but it doesn't cut it anymore.

Re:Recognition vs usefulness (5, Insightful)

6031769 (829845) | more than 2 years ago | (#36812408)

JavaScript [...] is extremely helpful for making useful, clean, modern websites.

I'll see your "useful, clean, modern" and raise you "glacial, bloated, bug-ridden".

Both JS and non-JS sites can be written well or poorly, and I'm not averse to a little javascript where it demonstrably improves the user experience, such as auto-focus into form fields for example. However, the problem is that some designers/developers just don't know when to stop, and seemingly only test their results on a gigabit LAN with a browser on their quad-core monster. As a consequence they think nothing of pulling in scripts and libraries from half a dozen sources and then proceed to use only one tenth of that code in the page. Frequently I see JS code where the whole way through it keeps testing over and over again for specific user agents so that it can choose which hackish workaround to employ instead of testing once and pulling in a brower-specific library. I have a 10Mbps broadband connection here and some pages take longer to load and render than they did 15 years ago.

Good designers and devs can produce excellent JS-based sites. But the other 99% are just a struggle to use and a good proportion of those are close to unusable.

Re:Recognition vs usefulness (4, Insightful)

hedwards (940851) | more than 2 years ago | (#36813088)

Javascript itself isn't the problem so much as the tendency to need to allow javascript from 20 or 30 sites just to view a page in its entirety. Typically they don't tell you what sites they genuinely use so if you don't recognize the domain name then you don't have any way of knowing if it's intended to be executed by the web devs.

Re:Recognition vs usefulness (0)

Anonymous Coward | more than 2 years ago | (#36812174)

No they will keep the status que. Don't want to run our scripts, fuck you gtfo.

Re:Recognition vs usefulness (2)

Bengie (1121981) | more than 2 years ago | (#36812388)

AJAX reduces server load by removing excess postbacks. Pretty much any interactive website.

The problem are websites that don't require postbacks but use Javascript for random crap.

Re:Recognition vs usefulness (3, Interesting)

wwfarch (1451799) | more than 2 years ago | (#36812712)

I don't even think using Javascript is the issue. The problem is requiring Javascript for random crap. Graceful degradation is something most websites fail to adhere to even when it's easily possible.

Re:Recognition vs usefulness (1)

Anrego (830717) | more than 2 years ago | (#36813024)

Graceful degradation is something most websites fail to adhere to even when it's easily possible.

Not enough return on investment to be worth the bother of even thinking about it for the tiny fraction of users you turn away having a site not work without javascript.

Web accessibility is much like building accessibility. Totally not worth the owners money (from a purely business standpoint..). Unless it's done as a PR thing (someone whines loudly enough) or the law comes by and says "look, we know it's not financially worth it for you.. but do it anyway because it's the moral thing to do" .. probably won't happen on the large scale.

And I really hope they don't legislate web accessibility! I think it's a great idea... but I have a feeling any laws mandating web accessibility would be so broken and ass-backwards that they would just make things worse.

Re:Recognition vs usefulness (0)

Anonymous Coward | more than 2 years ago | (#36813928)

> Does this mean web designers will start making their web sites actually work when users without javascript try to use them?

I am the author of a web application, and the whole application is centered around a third-party API that is only available as a Javascript library. As much as I would like to honor your preferences -- and much more important, as much as I would like to make my site accessible to the visually impaired, just for the sake of not being an ass -- I simply cannot.

I'm still wondering why the web designers get the blame for such a situation.

sad (1)

orange47 (1519059) | more than 2 years ago | (#36811978)

its sad that we have to remove functionality to be more secure. I do like noscript and use it all the time, but the problem is more and more websites require js for simple tasks. wish there was a better way, for eg using user interaction to select which part of js are 100% ok or something like that. or perhaps whitelisting md5sums of common scripts (if that hasn't been already done). ironically, posting this comment seems to require some scripts turned on.

Re:sad (1)

hedwards (940851) | more than 2 years ago | (#36813110)

It's a phase that's looking more and more like a new normal. We were lucky with those huge painterly sites of the late 90s that they eventually went away. Sure they looked cool, but on a dial up connection they'd take 20 minutes to fully load.

Now, sites take 20 minutes to load because they've got to load content from all over the web and frequently the slowest things to load are the ads. Each hop from server to server takes more time and with the sites pulling in stuff from other sites it can easily stall out if you're doing anything else with your connection.

Now they can stop adding rules into adblock (-1)

Anonymous Coward | more than 2 years ago | (#36811988)

Since they will have money. You know, since they needed ad revenue. Or did we forget that?

Arrest Murdoch - ask Sam Kiley (-1)

Anonymous Coward | more than 2 years ago | (#36811992)

Arrest Murdoch

As described here http://www.guardian.co.uk/media/2001/sep/06/pressandpublishing.uknews

Rupert Murdoch has repeatedly terrorized editors if they did not obey his private follies.

"Sam Kiley, who resigned last month as the Times's Middle East correspondent, claimed yesterday that his reports were regularly censored by editors living in "terror" of irritating Mr Murdoch."

Sam Kiley could probably inform the investigators in London a lot about Murdoch's behavor, and likely, to what extent he ordered the buggings of 9/11 victims.

Why I don't use NoScript (-1, Redundant)

SCHecklerX (229973) | more than 2 years ago | (#36812024)

After the games the author played with the Adblock Plus extension, I simply cannot trust it.

http://adblockplus.org/blog/attention-noscript-users [adblockplus.org]

Re:Why I don't use NoScript (4, Insightful)

JBMcB (73720) | more than 2 years ago | (#36812156)

That's too bad, because it's awesome. I haven't found anything else that comes close to how flexible and easy to use it is.

As far as trust goes - I trust the developer of NoScript over the entirety of the javascript code injected by advertising and tracking agencies out there.

By the way - did you read the NoScript developer's mea culpa?

Re:Why I don't use NoScript (1)

grommit (97148) | more than 2 years ago | (#36812438)

As far as trust goes - I trust the developer of NoScript over the entirety of the javascript code injected by advertising and tracking agencies out there.

That is a very very good point.

Re:Why I don't use NoScript (2)

geminidomino (614729) | more than 2 years ago | (#36813844)

I haven't found anything else that comes close to how flexible and easy to use it is.

Have you checked out Request Policy [requestpolicy.com] ?

I don't suggest it out of NoScript hate[0] -- I still run noscript on some machines -- but because it's fantastically easy to use to do things you need to mess with ABE to do on NoScript (if even then. I haven't had the time to mess much with ABE). My favorite is being able to block everything google, and then only allow it, if needed, permanently and only on the sites that need it (mostly on sites using recaptcha)

It's pretty nice and one of the four extensions that keeps me shackled to Firefox, much to my continued misery (The other four being ABP, PasswordMaker, and Lazarus)

[0]Though its insistence on opening up the homepage twice a week lately on minor updates is becoming a pet peeve.

Re:Why I don't use NoScript (0)

NoNonAlphaCharsHere (2201864) | more than 2 years ago | (#36812202)

I've tried to use it four or five times through the years, and I always end up removing it almost immediately. I find the UI to be confusing (and just plain bad) to the point of uselessness, and the damn thing wastes more CPU cycles running than the wild JavaScript it purports to block.

I'd like it much better if browsers themselves simply didn't execute any JavaScript from any inactive tabs/minimized windows.

Re:Why I don't use NoScript (1)

Bengie (1121981) | more than 2 years ago | (#36812476)

They're adding in real-time socket communication to Javascript. If I was chatting with a friend and had to keep the window in focus, that would irk me. Good idea, but would definitely have to be optional. May be trusted sites?

Re:Why I don't use NoScript (3, Insightful)

nabsltd (1313397) | more than 2 years ago | (#36812588)

I've tried to use it four or five times through the years, and I always end up removing it almost immediately. I find the UI to be confusing (and just plain bad) to the point of uselessness

What, exactly, is confusing about clicking one time on a menu item that reads "Allow slashdot.org" (for example)?

The only time I find there to be a problem is when a domain loads scripts from 5-10 other domains. That does make it difficult to figure out which scripts are required to make the site functional, but that's not a problem with NoScript...that's a problem with the site. And, it's exactly this "code from random sites" that makes NoScript important for browser security.

Re:Why I don't use NoScript (2)

hedwards (940851) | more than 2 years ago | (#36813138)

The UI isn't confusing, what is confusing is the tendency of sites to use a large number of largely anonymous servers to give even basic functionality. What NoScript really needs is a way of blacklisting domains manually so that I have to manually enable them if I decide I want them. For things like Facebook which are inexplicably everywhere even though they aren't necessary on any site that I routinely go to.

Re:Why I don't use NoScript (3, Interesting)

0123456 (636235) | more than 2 years ago | (#36813720)

What NoScript really needs is a way of blacklisting domains manually so that I have to manually enable them if I decide I want them.

You mean like 'mark as untrusted'?

I'd like to see domain-based functionality, so for example I can allow Facebook Javascript when I'm actually using Facebook, but block if when I'm at any other site.

Ah, I still remember the early days of Javascript when we were telling people what a horrible insecure pile of crap it would be and they were assuring us that nothing could possibly go wrong.

Re:Why I don't use NoScript (0)

Anonymous Coward | more than 2 years ago | (#36813728)

I've tried to use it four or five times through the years, and I always end up removing it almost immediately. I find the UI to be confusing (and just plain bad) to the point of uselessness, and the damn thing wastes more CPU cycles running than the wild JavaScript it purports to block.

You must be dumb as a fucking plank then.

Re:Why I don't use NoScript (3, Insightful)

grommit (97148) | more than 2 years ago | (#36812208)

Even though the author recognized his mistake, backed out the changes, and apologized profusely in a very public manner you still don't trust him? Harsh man, harsh.
http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/ [hackademix.net]
I'd rather not blacklist somebody over a single incident. However, if you happen to know of other instances where he did something sketchy, please let us know.

Re:Why I don't use NoScript (0)

Anonymous Coward | more than 2 years ago | (#36812322)

Fool me once, fool me twice...

Re:Why I don't use NoScript (2)

VGPowerlord (621254) | more than 2 years ago | (#36812424)

Fool me once, fool me twice...

No, no, no.... it's
"Fool me once, shame on... shame on you. Fool me... you can't get fooled again!" -- GW Bush

Re:Why I don't use NoScript (1)

larry bagina (561269) | more than 2 years ago | (#36813022)

prior to that, he pushed out a lot of incredibly minor updates ("fixed a typo in a comment"), seemingly to increase the ad impressions on his web site. Which used javascript (google analytics and ads) and was whitelisted by default.

Re:Why I don't use NoScript (0)

Anonymous Coward | more than 2 years ago | (#36812264)

Wish I could mod you up!

Re:Why I don't use NoScript (1)

Anonymous Coward | more than 2 years ago | (#36812486)

Thing is I trust websites even less.

Turned it off and surfed around for about 2 hours. 3 damn viri...

So I surf around with a broken internet...

Re:Why I don't use NoScript (0)

Anonymous Coward | more than 2 years ago | (#36813550)

Are you seriously that stupid? The guy makes an awesome addon that protects millions of users, releases it for free, makes one mistake that he apologizes for a few days later, and suddenly you can't trust one of the most useful addons of Firefox?

If your mom was like you, you would've probably been put down shortly after birth. Probably for the better.

Help with NoScript updates (0)

Anonymous Coward | more than 2 years ago | (#36812062)

For some reason I seem to be on the testing branch, receiving different release candidates almost every day. How do I switch to the stable branch where I get to run only final versions?

They will probably celebrate with a new version (1)

ydrol (626558) | more than 2 years ago | (#36812090)

Any excuse for those page hits. Good tool though, but I switched of the bit that opens the home page every time there is a new "important" update.

Re:They will probably celebrate with a new version (1)

psyclone (187154) | more than 2 years ago | (#36812518)

I like watching changelogs, to see what holes were patched. With NoScript, the right pane shows the changes -- new attack vectors are blocked all the time. (At this point they are mostly minor, but still crazy that default browser security with respect to local and remote script invocation is nearly non-existent.)

crowdsourcing life0cidal weapons/peddlers (-1)

Anonymous Coward | more than 2 years ago | (#36812096)

it can't be us? that's not who we are? the hymenical council is writing the code for the app right now. to be released in conjunction with the papers of challenge delivered by the whore of babylon.

it gets even whackier;

Declaration: July 4, 2011

1. We the peoplebelieve that the crimes committed by prior
administrations is unfinished business. Those who committed these crimes
need to be brought to justice and justice needs to be done. We repudiate
the current administration for allowing these criminals to avoid
accountability and we pledge to right this wrong.

2. We the peoplebelieve that the current administration has also
committed grievous crimes, including murder, war crimes, crimes against
humanity, various crimes against the peoples of other nations and crimes
against citizens of the United States, including direct attacks on the US
Constitution and the rule of law, a general failure to preserve, protect,
and defend the Constitution and what it stands for. Those who have
committed these crimes also need to be brought to justice and the
Constitution restored to its rightful place in the world.

3. We the peoplebelieve that unconscionable economic crimes have also
been perpetrated against the American people and other peoples around the
world. These crimes were aided and abetted by US government officials who
failed in their duty to honor the trust given to them. Our elected
officials, including members of both houses of Congress and the President,
have systematically betrayed the people by selling their allegiance to
private interests at the expense of the People. They are fiduciaries of
the highest order and they have betrayed our trust in the most egregious
manner possible. They have lied to us, cheated us, and hidden behind walls
secrecy in order to perpetrate frauds on us; ignored basic principles of
fairness and decency. They have squandered the people’s wealth in exchange
for favors. They have aided and abetted leaders of corporations and other
financial operatives to perpetrate frauds against the People and they have
obstructed justice by refusing to pursue those who broke the law in doing
so. These frauds shall not stand. Those who are responsible shall be made
accountable.

4. We the peoplebelieve our government has pursued economic policies
designed to benefit the wealthy few at the expense of the many and we
repudiate these policies and those who set them in motion. The tax
policies of the Bush administration are odious, unfair, and fraudulent in
every way, as were the bank bailouts. No business is too big to fail and
no person is so important as to be above the law. Innocent people have
lost their jobs and well being while individuals and financial
institutions have not been held accountable for their crimes, nor have
those who were cheated been properly compensated.

Not the holy grail of browser security (0)

Quick Reply (688867) | more than 2 years ago | (#36812242)

There are plenty of vulnerabilities found that do not need scripts, lets not make NoScript out to be more than what it is.

Re:Not the holy grail of browser security (0)

Anonymous Coward | more than 2 years ago | (#36812368)

While you are correct, running NoScript prevents you catching most of the script based malware ...

Re:Not the holy grail of browser security (2, Informative)

Anonymous Coward | more than 2 years ago | (#36812432)

here are plenty of vulnerabilities found that do not need scripts

For many of them (e.g. Clickjacking or cross-zone CSRF with DNS rebinding) NoScript features specific countermeasures which go far beyond script blocking.

Furthermore NoScript blocks plugins, XSLT, HTML5 media and web fonts on untrusted sites, which reduces the attack surface to HTML/CSS parsing or image decoding vulnerabilities, relatively rare nowadays. And even those, usually, still require scripting to be exploitable on modern systems (e.g. for heap spray preparation).

Re:Not the holy grail of browser security (1)

schwit1 (797399) | more than 2 years ago | (#36812506)

No browser is perfect, but all other things being equal NoScript makes the web a far safer place. Include Adblock and not running the browser as an admin, and you are pretty safe.

Re:Not the holy grail of browser security (4, Insightful)

CCarrot (1562079) | more than 2 years ago | (#36812780)

There are plenty of vulnerabilities found that do not need scripts, lets not make NoScript out to be more than what it is.

I'm sorry, I've got to call BS. That's like saying "There are plenty of illnesses out there that aren't virus-based or bacterial, so let's not make washing our hands out to be more important than it is."

Fact is, NoScript is an invaluable resource, with a clear, easy-to-use interface, and even the less-than-tech-savvy user can use it to vastly reduce their chance of 'catching' something. Yes, it does not provide perfect protection from everything, but I'm afraid the only way you can achieve that is to pull the plug on teh interwebs and live in your own virtual 'bubble'.

I for one applaud this award as well-deserved. Good on them!

Helps prevent trojan infections (4, Interesting)

madhatter256 (443326) | more than 2 years ago | (#36812668)

No Script helped in stemming the amount of infected PCs I received. I'd install it on my customer's PCs and showed them how it worked and that they should turn it off only when doing stuff like online banking, otherwise leave it on.

It was of tremendous help and a lot of repeat customers stopped coming back with the same infection.

If nothing else, use it for speed. (3, Informative)

dezert1 (964839) | more than 2 years ago | (#36812886)

Not having JS loading makes all pages load incredibly fast. Use it like a turbo button. That combined with Ghostery and Better Privacy make for a pretty good browsing experience (and shows you what each page is attempting to do). If you are looking for perfection, there is nothing stopping you from writing your own browser. NoScript is the biggest reason I stick with FF. Love it!

Re:If nothing else, use it for speed. (1)

Anonymous Coward | more than 2 years ago | (#36813206)

+1
Every computer I set up gets FF and:
NoScript (top level domains enabled),
Adblock Plus (disabled for sites you use all the time),
Ghostery,
Flashblock,
Bettery Privacy,
Beef Taco,
Google Analytics Opt Out,
Advertising Cookie Opt Out,

A quick twenty minute instructional and folks are good to go.
And a couple of days later they thank me for speeding up their online experience. Hell, yesterday the Guatemalan short order cook at the hot dog place bought my lunch for me because of these very changes. Said the web was so much better and faster for him.

Re:If nothing else, use it for speed. (1)

tunapez (1161697) | more than 2 years ago | (#36813238)

And all the ad servers and affiliates! Fecebook, Twatter, Google, Google Syndication, Google Analytics, the 3rd party adverts that malware peddlers crack regularly. Fuck that.

NS and Live Bookmarks is why I stayed through all the post 3.5 feature bloat. I could run any stripped browser in a sandbox, but what I can't find is a Live Bookmark equivalent...ie: just headlines, no pix, no diarrhea of the keyboard descriptions, no new windows, no muss. Just headlines to scan.

All your scripts are belong to noscript (2)

djl4570 (801529) | more than 2 years ago | (#36812960)

The author deserves this. I reported a small problem on Amazon and he had a release candidate ready for testing about six hours later.

Re:All your scripts are belong to noscript (0)

Anonymous Coward | more than 2 years ago | (#36813992)

That's incredibly generous of you.... oohhhh... I see. You mean he deserves this *from other people*, not from you personally ! ;)

*I re-read this prior to posting, and it sounds a bit catty/sarcastic... so for the record I am joking and I *do* understand the parents intent. Honest!
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...