Slashdot Mirror

And AdZap for squid was doing it before that. With roaming laptops and such, I found it easier to just install AdBlock which was much more effective.

With anti-adblocking code out there (along with javascript malware,) NoScript for FF is also a must. User Agent Switcher is also cool - make your browser look like a search engine such as googlebot... Can lead to interesting results on some sites.

It's nice that the guy mentions NoScript, but why does he mention it with the web developer tools? It's a very handy general purpose extension. By the way, it's amazing to see how many web developers can't use the <noscript> tags properly (or just don't care): lots of websites just break when you turn off Javascript--no error messages, no nothing.

The easy way around the problem is per-site JavaScript permissions. Internet Explorer has allowed you to set up your browser like that for ages, I'm surprised Firefox isn't the same way.

Still, there's a plugin for it...

The noscript firefox extension lets you forbid execution of javascript/java/flash by default and only enable it again for some sites (whitelist). Internet Explorer has "Trusted Sites" or something.. So all in all that is not that much of a problem..

"Levy and Gribble didn't set out to verify that, but they did note that the few successful spyware attacks on Firefox were made by Java applets ", but they can be easily blocked and allowed on trusted domains only using the NoScript Firefox extension, which takes care the same way of JavaScript, Flash and other plugins for a paranoid yet usable security level :)

I'm already testing and I'm about to release a NoScript version (1.1.3.6) which neutralizes this lovely ping attribute on untrusted sites, and offers also an user-accessible option, not implemented by Firefox (yet?), to disable it globally. I hope this will calm down the tinfoil hats ;)

Ding ding ding! We have a winner! Nuts to AJAX. If I ever am forced to use it, I can tell NoScript to allow it. I've whitelisted Google, Wikipedia, and a few other sites; that's about it. Javascript free for a month now and loving it.

Rather than turn off JavaScript entirely, I use the NoScript extension to turn it off everywhere but on the sites I allow. The only adjustment needed was to turn off the "NoScript has blocked JavaScript" message in the extension options since it occured so frequently.

No, it's not an overreaction. In fact, it's very simple: images in unsolicited advertisements are evil. Unless I'm searching Froogle, Amazon, or some other product site, and then I get images for the products that turn up in the results, images to advertise anything are inherently evil.

Although I might be saying this because I use Firefox, and Firefox does have that memory leakage with images. Then again, I also can't use any other browser for more than a few minutes before I want to kill -9 it due to the awesomeness that is Adblock Plus and No-Script.

NoScript 1.1.3.5 prevents all the possible variants anyway truncating titles (JavaScript forged or not) to 255 characters by default.

That's why I run the NoScript extension. Makes me that much freer to to click links in /. sigs.

Try this NoScript. It's a whitelist so you can allow only certain sites to use javascript.

I browse Slashdot with Javascript turned off since there's no need to turn it on here. Nice, old-fashioned passive/static "content" (I hate that word) only please.

Oh and BTW, thank you, http://www.noscript.net/

...I use NoScript.

You could if you used the FireFox NoScript plugin.

Javascript is off on all sites, unless you specifically allow it on a per-site basis.

You can do exactly that by installing the "NoScript" extension http://www.noscript.net/whats

Two words: Noscript Plugin.

Most of the new versions of pop-unders use Javascript to sneak past the pop-up blockers. I really hope that you are not actually surfing with Javascipt enabled.

That's why you use NoScript. You can selectively enable JavaScript for those sites that really need it and leave it off everywhere else.

One way to decrease paranoia (if you're running Firefox) is to install No Script. You then just whitelist (temporarily or permanently) the sites you trust.

NoScript is definitely one of the most useful extensions ever! Have a site that somehow gets pop-ups past you? Well, they work via javascript, so fuck 'em! New security vulnerability due to JS somehow? Fuck 'em again! Ads in general? Fuck 'em, they use JS! Badly coded tag soup websites that depend on JS? Fuck 'em and their incompetent web developers!

Enabled Extensions: [14] (astericks denote highly recommended extensions)
Adblock Plus 0.5.10.20051107*
All-in-One Gestures 0.17*
DOM Inspector 1.9a1
FoxyTunes 1.1.5.4
Linkification 1.1.6*
Location Navigator 0.6* (for porn)
Menu Editor 1.2
MR Tech Local Install 4.0
Nightly Tester Tools 0.7.9.10
NoScript 1.1.3.3*
Permit Cookies 0.5*
Redirect Remover 0.43* (for porn)
Update Channel Selector 1.0.1
WebmailCompose 0.6.1

NoScript has to be on the top of my list (right after Adblock and Greasemonkey)...Disabling JS globaly and only allowing it where it is necessary keeps out almost all ads...pages load faster, and you don't have to worry about information leaks...

Some others I use...BetterSearch, LinkPreview, Outfoxed, BugMeNot, del.icio.us and Farky...

As fellow posters have flocked to reply, using AdBlock with a decent set of filters will effectively block ads all over the place. Flashblock really does its job too. Tested in 1.5 and 1.0.7 and whatnot. Rock solid, no ads, no Flash.

And in the border case where the webmasters employ javascript to drive you nuts, NoScript is the bomb. JavaScript is so evil it's scary, both due to privacy and advertisment. I definitely want a per-site blocker. It's trivial for a website to snoop on the browsing history of the current window or tab, for instance.

And no, blacklisting doesn't work. It's just a catch-up game and it's stupid from a security point of view. Nevermind that all antivirus and anti-malware makers employ it. Whitelisting is the way to go, and NoScript does it right. I don't want to keep up with unknown threats, I want to only allow what I know is good.

The website got a legal form making this person the user's friend. Its not a website problem. The problem is that javascript can be injected which gets executed and does form entries without the user's knowledge. That's a browser problem.

Firefox is not necessarily immune to XSS attacks, see noscript.

I use NoScript for the same purpose. I tried Flashblock, and found it wanting. Not that it was bad, I just preferred NoScript's interface and performance thus far.

Regardless, I highly recommend people using some form of flash blocking, so kudos on the article. For those unaware: Flash is how most of the current crop of po-pups manage to circumvent Mozilla's pop-up suppression.

It's been awhile since I've tried Opera but I'm very impressed with it. I love the small tabs that minimise screen real estate, the seamlessly integrated pop3 email, the personal toolbar, incredible speed, etc. I would make a permanent switch to Opera if they had features equivalent to these firefox extensions:
Hit-a-hint Noscript Bugmenot Downthemall

NoScript users have been asking for black-list JavaScript/Java blocking since the beginning, but I'm still convinced white-list approach is the only way to go, when it comes to security. How can you tell for sure the link you're about to follow with a careless click (or, worse, the popup that is about to open without your consent) leads to a "safe place"?

I'm using noscript with Firefox so the image was "safe for work" for me. Just a huge fuel tank being tranported by a truck.

I prefer noscript. Javascript/Java/anything whitelist based on hostname/domainname/url.

Cookie management in Firefox is a little bothersome, thats why i installed Permit Cookies extension, so you can easily whitelist sites by pressing ctrl-c. Then you can choose: allow, session, block, or remove the cookie for the site you are currently viewing.

Permit Cookies would be a little more user friendly if it worked just like NoScript extension (which does the same, but for javascript).

In my opinion both tools should be integrated into Firefox.

Sounds like my old plan. What allowed me to improve on this was discovering Cookie button, a Firefox extension. Now I leave the default setting as reject all cookies and click the little button to allow those sites that need it (I think I have about 12 allowed, but I'm probably more conservative than most would be).

Along similar lines, NoScript does the same thing for javascript and most here probably already know about AdBlock and Filterset G (the best pre-made set of adblock filters I know of).

I use Greasemonkey in conjunction with NoScript - an extension which prevents any site from using Javascript unless it is added to the whitelist maintained in the extension.

To run a Greasemonkey script on a page you have to allow that domain or subdomain in NoScript. This prevents Greasemonkey being used on a rogue page as I wouldn't use a script on an uber-dodgy site anyway!.

"This cleanup is free. The next one, if the need for it is caused by bad practice, won't be"

- follow this up with standard teach-in about browser security, risks posed by using the mainstream browser that is widely targeted, introduction of a different browser that doesn't have these particular problems

- provide printed sheet about system security for them to read if the teach-in wasn't clear enough

- install Firefox and AdBlock with a default set of REGEX filters to kill the worst excesses, and suggest they play with NoScript for ultimate safety, now that the browser-crashing bug that it sometimes triggers has been fixed.
Bingo

I myself tend to make all my webpages compliant and in such a way that if you were to view the site on a text browser, cell phone, PDA, or whatnot, you'd still be able to see all the content cleanly without affecting the overall presentation of the site. Not only is valid XHTML important, but so is writing it in a logical way. That way, you can write your page nicely in XHTML, apply a stylesheet, and the final product looks great on both GUI and non-GUI web browsers.

I also avoid JavaScript completely (unless I'm designing a web-app that uses it a la Google's usually do, but in those cases, I like to screw around with XUL at the same time) because I just find that it adds no particular value to most sites. Do I really need JavaScript to click a fucking picture in order to see the full-sized version (fapomatic, I'm looking at you)? The "a" tag was invented for that reason, dipshits! JavaScript has generally been the backbone for spawning ads or fixing browser quirks that are only caused by the fact that the site was written using FrontPage and gobs of JPEGs (those of which would be better off as PNG or even GIF) with things that might seem cool at the time but actually aren't. I even have No-Script installed to avoid enabling JavaScript for at least 99% of the sites out there.

Also, I'd like to mention how CSS3 adds on almost any "cool effect" you get from JavaScript hacks in a small snippet of code. Examples include 'border-radius', 'text-shadow', and a lot of pseudo-classes such as :nth-child().

Love the W3C; don't fight them.

Firefox 1.0.5 contains a bug fix to CAPS (Configurable Access Policies), finally removing crashes reported by users of the NoScript extension. This should make Firefox even safer: NoScript's "whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality" - http://www.noscript.net/

Firefox 1.0.5 contains a bug fix to CAPS (Configurable Access Policies), finally removing crashes reported by users of the NoScript extension. This should make Firefox even safer: NoScript's "whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality" - http://www.noscript.net/

Among the other fixes, Firefox 1.0.5 contains a patch to CAPS (Configurable Access Policies) that finally eliminates crashes reported by users of the NoScript extension. This should make Firefox users even more safe: its "whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality"...

Among the other fixes, Firefox 1.0.5 contains a patch to CAPS (Configurable Access Policies) that finally eliminates crashes reported by users of the NoScript extension. This should make Firefox users even more safe: its "whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality"...

Only an idiot would have javascript enabled these days, since 99% of browser exploits don't work if javascript is disabled.

How do I access Google Maps with javascript disabled?

Well, if you have Firefox, try this.

No guarantees express or implied.

Even if firefox is vulnerable, get this excellent extension and solve your problem. Happy browsing!

"It has been fixed in Firefox".

"No it hasn't".

Perhaps, but Firefox users can "fix-it" by using an extension called NoScript [ http://www.noscript.net/ ].

Noscript allows you to only run javascript at trusted sites, and untrusted sites do not get to run javascript...I can't see any reason for slashdot running 3 javascripts, so therefor I deny them. Gmail use it purposefully, so I allow them. Recomended. Oh, and it is a firefox extension :)

Check out noscript, firefox extension for whitelisting javascript

Ewan

Easier to use an extension like NoScript - a javascript permission whitelist - to selectively allow pages to run scripts, then control passes to where it should be - the user

Developer Comments:
This is not a support forum! If you need support,
you're welcome at http://www.noscript.net/
where you can ***read the FAQ*** or use the forum.

What I'd like to see in Firefox is a more fine-grained control of policies.

I currently use Firefox with Software install disabled, Java disabled, noscript and Adblock.

There should be the inherent capability in Firefox to restrict _everything_ based on URL regexes or domain patterns. I want to block Java, Javascript, Flash (any plugin for that matter), Cookies, Referrer, User-Agent, a-n-y-t-h-i-n-g and only allow it for certain sites. Currently this works for Cookies and Javascript with external extensions. Ironically, the extension that turns Flash objects into buttons you have to click first requires Javascript, so I'd have to enable javascript for unknown sites. Sucks.

Feels too kludgy. A clean mechanism to define policies for basically anything directly in Firefox would be much better.

Javascript has uses from time to time.

I therefore consider it sad to fully disable it, but - lucky me - Firefox's Noscript extension allows me to whitelist JS on a per-site basis.

Along with some other privacy extensions such as Adblock, Flashblock, Objection, Cookie Culler and Cookie Button it really eases my browsing and feeling of security (and much reduces common annoyances)

I've been using whitelisting with [first party] cookies (generally with sites I'm a member of) and javascript (only for sites I use that require it such as gmail). Normally this would be a tedious task, but I have some extensions to help me out when it comes to security in this manner.

Actually, I have probably over 40 extensions installed right now, but those are some of the most useful.