Is there a "better NoScript" that makes more sense?

Joshua Judson Rosen rozzin at hackerposse.com
Fri Jan 22 13:08:42 EST 2021 

On 1/22/21 12:26 PM, Derek Atkins wrote:
> Hi,
> 
> Yes, it is default-deny and you must enable what you want/need.
> You can certainly say "enable this JS source for this website only".  So
> you don't need to enable it globally.

How? As I was hoping to thoroughly convey in my previous message,
I really don't see any way to do that.


> On Fri, January 22, 2021 12:18 pm, Joshua Judson Rosen wrote:
>> I've been trying out NoScript in Firefox on one of my computers after
>> having seen people recommend it for years,
>> and I'm finding that NoScript's whole permissions model just seems..., how
>> do I put this nicely...:
>> stupid. Or maybe just `stupidly antiquated'?
>>
>> Is there something better? More sensible? Let me explain my frustration
>> with NoScript, first...:
>>
>> While it does an OK-ish job of preventing the "some piece of javascript
>> has decided to peg my CPU"
>> problem (but only OK-ish, because that problem really seems to be more due
>> to bugs than malice in the JS code),
>> it seems to be largely useless as far as a `privacy tool'--which is weird,
>> because most of the
>> NoScript advocacy seems to have come from self-styled privacy wonks.
>>
>> To start with, it's whitelisting-only--so while I can deny JS and some
>> other permissions
>> *to everything by default*, and then whitelist some domains to let
>> everything from them in.
>>
>> Once something (JS loaded from a given site) is enabled, it's *enabled
>> globally*--
>> there's no way of saying "I'm actually _generally_ OK with javascript but
>> specifically want
>> to block this site because it's pegging my CPU [or whatever reasons]". The
>> user has to just
>> accept the much more arduous path of specifically whitelisting `the whole
>> world minus this one thing'.
>>
>> There's no way to just "disable JavaScript [or whatever] it in this
>> container", or "disable it in this tab",
>> or "disable it for this site".
>>
>> That last one sounds like an oxymoron--like, "what do you mean, once
>> you've whitelisted a specific site
>> there's no way to de-whitelist that site?"..., but actually this takes us
>> to the next issue:
>> that the "per-site whitelisting" is whitelisting of the sites
>> *from which separate/auxiliary (often third-party) resources are loaded*,
>> not whitelisting of
>> sites that *that load those resources*.
>>
>> Not only is it "whitelisting-only", the whitelist isn't even governing the
>> right things.
>>
>> So for example, if I ever want to use one of Google's websites, for
>> example Google Meet
>> in my `Work' Firefox container, then I have to whitelist "google.com" as a
>> source
>> of auxiliary JavaScript resources--and I have to do that *globally*, which
>> means
>> that now every site website out there trying to load a fragment from
>> google.com
>> as part of a Google advertising-and-tracking campaign will now be allowed
>> to do that.
>>
>> There's no way to say "allow loading google.com trackers and scripts when
>> I'm specifically
>> using a google.com website, but elsewise refuse cross-site loads of
>> google.com resources
>> when I'm just using some random non-Google website that has no business
>> making me send info to Google".
>>
>> If I ever want to use any Google site, I'm stuck having to do the "disable
>> NoScript entirely for this tab"
>> every time, or loading it in an Incognito tab with the NoScript extension
>> itself set to
>> `do not run in Incognito tabs at all' (which is a situation that a bunch
>> of other caveats itself).
>>
>> And Google's just an example of when that situation is even easy to
>> recognize;
>> a lot of sites load resources from something like
>> "fjr88fghdjt92838ngjfhgg82hgjfdskg2388gg22sg.cloudfront.net"--
>> good luck figuring out what that even is or how many other sites might
>> also be calling out to it.
>>
>> There's a "Temp. TRUSTED" option, but that's `temporary' meaning `until
>> the browser exits'
>> and is still completely global for the duration of the session AFAICT (it
>> doesn't appear
>> to be not per-tab, or per-container, or per-site, or per *anything* that I
>> can identify).
>>
>> In a WWW where practically every resource is loaded cross-site, and where
>> both security
>> and privacy issues (and even `stability' and `usability' issues too!) can
>> have as much to do
>> with the relationships and access-patterns *between* those sites and the
>> user as
>> with the origin from which any *particular* resource is served..., this
>> just
>> isn't making a lot of sense to me.
>>
>> Is there a well-regarded Firefox extension out there that actually does
>> anything like I would have expected? Or is there something that's actually
>> already *in NoScript* that I'm somehow overlooking?
>>
>> Or have I just gone completely mad?
>>
>> --
>> Connect with me on the GNU social network:
>> <https://status.hackerposse.com/rozzin>
>> Not on the network? Ask me for an invitation to a social hub!
>> _______________________________________________
>> gnhlug-discuss mailing list
>> gnhlug-discuss at mail.gnhlug.org
>> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
>>
> 
> 

-- 
Connect with me on the GNU social network: <https://status.hackerposse.com/rozzin>
Not on the network? Ask me for an invitation to a social hub!

More information about the gnhlug-discuss mailing list