Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox 23 Makes JavaScript Obligatory

Posted by samzenpus on from the use-it-or-else dept.

mikejuk writes "It seems that Firefox 23, currently in beta, has removed the option to disable JavaScript. Is this good for programmers and web apps? Why has Mozilla decided that this is the right thing to do? The simple answer is that there is a growing movement to reduce user options that can break applications. The idea is that if you provide lots of user options then users will click them in ways that aren't particularly logical. The result is that users break the browser and then complain that it is broken. For example, there are websites that not only don't work without JavaScript, but they fail in complex ways — ways that worry the end user. Hence, once you remove the disable JavaScript option Firefox suddenly works on a lot of websites. Today there are a lot of programmers of the opinion that if the user has JavaScript off then its their own fault and consuming the page without JavaScript is as silly as trying to consume it without HTML."

6 of 778 comments (clear)

  1. Javascript can still be disabled by Anonymous Coward · · Score: 5, Informative

    They just removed the easy way to turn it off to prevent simple mistakes. You can still turn it off behind about:config or with extensions for those that need it.

  2. The option is not removed. by Anonymous Coward · · Score: 5, Informative

    (atleast in nightly) Its just hidden, you can still enable/disable javascript in the about:config menu and addons like noscript still work.

  3. Re:Solution in extensions by djl4570 · · Score: 5, Informative

    I'm running FF23 beta on my personal system and NoScript is still working as before.

  4. Re:why? by Anonymous Coward · · Score: 5, Informative

    Yes.

    Javascript is supposed to be sandboxed in all modern browsers, but that doesn't make it perfect. All the serious vulnerabilities I've seen over the past few years exploited the sandbox, and therefore required javascript to work.

    Also there is private information WITHIN the browser. Being inside the sandbox, that information is thus provided to websites.

    For example:

    Browser fingerprinting, using your installed fonts, screen resolution, etc. http://panopticlick.eff.org/

    Mouse pointer tracking with javascript: http://jsbin.com/ufupol/98

    Capturing information entered into forms and then deleted before submitting: various analytics tools

    Here's a random analytics provider I found on Google (There were plenty of others):

    We capture every mouse move, click, scroll and keystroke, by using a tiny piece of JavaScript copied into your website. The whole process is completely transparent to the end user, and has no noticeable effect on your site performance.

    http://www.clicktale.com/products/mouse-tracking-suite/visitor-recordings

  5. Google doesn't "freely give" away information. by Dputiger · · Score: 5, Informative

    I've got no problem with your browser choice -- if you want to use Mozilla over Chrome, or IE over Firefox, hey, that's your call. But don't misrepresent the situation.

    Google and Yahoo both pushed back hard against the NSA's programs. Yahoo went to court over it. You know what the court said? "Obey."

    So what could Google do? You can't run an advertising business without having some information on your users. You can't run an email service without having access to the accounts. Yes, I suppose Google could have theoretically attempted to create a business in which everyone it served were direct customers of encryption services it provided (while explicitly saying that it couldn't decrypt traffic). Maybe that works for a startup, but you can't exactly transition a multi-billion dollar corporation to a direct customer model to avoid the NSA -- especially when you are legally prohibited from acknowledging that the NSA even spoke to you.

    More than one of the companies that participate in Prism were forced to do so.

  6. Re:why? by BitZtream · · Score: 5, Informative

    IE had ActiveX and such. It was stupid. It was a security issue. It was almost impossible to avoid.

    Mozilla Gecko (the framework Firefox is built on) makes extensive use of XPCOM, which is functionally equivalent of ActiveX in every way, except that it works outside of Windows.

    Some Firefox plugins are ... XPCOM objects.

    XPCOM has been at the core of the Firefox design as long as I've seen the source (I was embedding gecko into apps in my former life, at least 7 years).

    You have absolutely no idea what so ever what ActiveX is, nor do you have any idea what the actual problem with IE was that resulted in so many ActiveX related exploits.

    ActiveX is a self describing plugin system which allows an application to load and potentially use a plugin without any prior knowledge, EXACTLY like XPCOM in Firefox. Again, they are 100% functionally the same.

    Internet Explorer had retarded defaults (allow any unsigned activex to install without asking) to begin with, then those were 'fixed', and then the install without prompting exploits started, so malicious sites would install activex controls without your consent ... and then ... we also have to deal with all activex controls which were installed with improper ActiveX safety flags.

    The safety flags were 2 flags set aside to allow an ActiveX control to say 'hey, I'm safe to use in Internet Explorer' and 'I'm safe to allow any random website to use me in IE!'. The morons in the Excel team (as one example) would, out of ignorance, flag all of their controls for Excel as safe for IE/safe for scripting ... so IE thought it was perfectly acceptable to load a control that will read and write random files on the drive. Every time a Windows Update patch for 'ActiveX killbits' comes out ... this is what they are talking about, changing the OS to ignore controls flagged as safe when they are known not to be.

    Mozilla has no such support for flagging controls as safe for browser/safe for scripting. It tries to pretend it is an uncrossable barrier, but that is in fact no way the case.

    So any time an 'ActiveX' issue comes up, you should be aware that it wasn't an ActiveX problem, it was an Internet Explorer implementation of ActiveX, and other developers bad code that was exploitable.

    You really can't 'exploit' ActiveX any more than you can 'exploit' DLL or SO. You can exploit bad implementations of the loader.

    Imagine if Firefox allowed web page scripting to automatically install Firefox plugins. Would you blame XPCOM then? Thats what you do when you blame ActiveX.

    Finally, it makes you look fucking stupid when you blame ActiveX. All you do is make it clear that you don't actually know what the problem was, let alone understand what it was. You just sound like an ignorant drama queen.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager