Slashdot Mirror
Firefox 23 Makes JavaScript Obligatory
mikejuk writes "It seems that Firefox 23, currently in beta, has removed the option to disable JavaScript. Is this good for programmers and web apps? Why has Mozilla decided that this is the right thing to do? The simple answer is that there is a growing movement to reduce user options that can break applications. The idea is that if you provide lots of user options then users will click them in ways that aren't particularly logical. The result is that users break the browser and then complain that it is broken. For example, there are websites that not only don't work without JavaScript, but they fail in complex ways — ways that worry the end user. Hence, once you remove the disable JavaScript option Firefox suddenly works on a lot of websites. Today there are a lot of programmers of the opinion that if the user has JavaScript off then its their own fault and consuming the page without JavaScript is as silly as trying to consume it without HTML."
As long as it doesn't break Noscript, I'm ok with this. It really IS folly to try to use the modern web without any javascript at all, but with Noscript I can still pick and choose which sites are allowed to run it in my browser.
End of lesson. You may press the button.
Maybe, maybe not ... but there's definitely a lot of privacy and distracting-advertising issues.
No sig today...
They just removed the easy way to turn it off to prevent simple mistakes. You can still turn it off behind about:config or with extensions for those that need it.
(atleast in nightly) Its just hidden, you can still enable/disable javascript in the about:config menu and addons like noscript still work.
Why must we dumb down everything?
More like simplifying. Everything should be made as simple as possible but no simpler. Why have a menu option that never gets used? That is pretty much the definition of pointless. I'm pretty geeky and like to tinker with things but a menu option that never ever gets used is wasteful.
I cannot remember the last time I disabled Javascript and I'm pretty confident that somewhere north of 99.9% of users never disable it either. Much of the modern web would be useless without Javascript. So long as there remains a method (extension, etc) to disable it if desired (ala NoScript) I really don't see the big deal.
Personally, what *I've* always wanted is a way to turn JS on and off that's more easily accessible. I often want it off, to try to get more consistent behavior (whizzy JS crap is often completely non-standard and confusing), but every now and then I need to flip it on to see if the apparent breakage is because some lazy programmer didn't feel like thinking about how things degrade.
But Mozilla seems determined to alienate users like myself, so this current bonehead move is hardly a surprise.
And yes, many "modern" web sites these days seem to require javascript-- thanks to google who made it ultra-cool and groovy.
Yes.
Javascript is supposed to be sandboxed in all modern browsers, but that doesn't make it perfect. All the serious vulnerabilities I've seen over the past few years exploited the sandbox, and therefore required javascript to work.
Also there is private information WITHIN the browser. Being inside the sandbox, that information is thus provided to websites.
For example:
Browser fingerprinting, using your installed fonts, screen resolution, etc. http://panopticlick.eff.org/
Mouse pointer tracking with javascript: http://jsbin.com/ufupol/98
Capturing information entered into forms and then deleted before submitting: various analytics tools
Here's a random analytics provider I found on Google (There were plenty of others):
We capture every mouse move, click, scroll and keystroke, by using a tiny piece of JavaScript copied into your website. The whole process is completely transparent to the end user, and has no noticeable effect on your site performance.
http://www.clicktale.com/products/mouse-tracking-suite/visitor-recordings
Are there still security issues with having JS enabled?
Javascript is used by most malware installation systems. The typical route is that a trustworthy hacked site is modified to include a <script> tag with its source on the malware hosting domain. The resulting script will then use some mechanism to attempt to install malware, either simply dropping an executable download on the visitor and hoping they run it, or attempting to exploit either a browser or a browser plugin bug. Turn off javascript, and the exploit is never downloaded, so can't run.
There are also direct browser attacks that would require javascript to function, e.g. http://www.mozilla.org/security/announce/2013/mfsa2013-53.html or http://www.mozilla.org/security/announce/2013/mfsa2013-46.html (to pick a couple from the last month or two).
So, yes, your system is still less secure if you have JS enabled than if you don't.
I miss the days when web developers still gave a shit about progressive enhancement.
I miss the days when you couldn't be considered a real web developer unless you could make a CSS Zen Garden (http://www.csszengarden.com) skin without cheating by changing the markup or using JS.
I miss the days when you were only considered a good web web developer if your site was usable with both JS and CSS disabled because you used semantic HTML.
I miss the days when accessibility still mattered.
I miss the days when writing semantic HTML, enhancing it with CSS, and enhancing it further with JS was considered the best practice, rather than starting with just JS and an empty body tag as is so common today.
I miss the days before the now popular false dichotomy of thinking that progressive enhancement is extra work was popular among web developers.
I love that the web can do more now and compete with native apps better. But I hate that web developers are so quick to unnecessarily abandon progressive enhancement in the process when that's what made the web great to begin with.
You're right, I wouldn't steal a car. But if it were possible, I sure as hell would download one!
Stop posting this "user's" aka Dice's stories on Slashdot! His entire history of posts all link to the user's own i-programmer.info site in order to generate traffic and ad impressions. Enough is enough already!
Isn't the part about enabling malicious code by default stupid enough?
It's more of the "globally disabled EXCEPT for a whitelist maintained by the user".
It's the security methodology that is the difference.
Global enable vs global deny.
And Microsoft had the exact same reasoning behind their global enable. It makes it easier for THIRD PARTIES to present their content in the way that they want to the user.
That's almost acceptable when those THIRD PARTIES are trustworthy.
But those THIRD PARTIES could just as easily be crackers. And why make it easier for crackers to run their code on your computer in the way that they want to?
Not to nitpick either, but they're both.
When people can track what you are doing while sitting in front of the computer, it's a VERY BIG security issue.
Except I don't have to avoid Javascript entirely.
I can do it selectively.
I can decide who to let into my circle of trust.
Given what kind of random crap seems to be on modern websites these days. That's a very good idea. It's not paranoia when people really out to get you. Trying to deny the danger is the position that's really out of touch with reality.
YOU are the one that's a danger to self and others, not me.
Juvenile insults won't change that.
A Pirate and a Puritan look the same on a balance sheet.
Some sites have java script that disables context menus (right mouse button) and other things that I don't want. That's why I want to be able to control what my browser does and turn java script off if that gives me a better user experience.
Privacy is terrorism.
Now this furore is a little silly.
Hey! Word to the wise: about:config I doubt the feature is actually removed...
I assume that this is a UI change and that Mozilla is removing a button, that caused a greater cost to support, than justify with benefit.
Really, the advanced web user, who is judicious about enabling script, can opt for a plugin, if they want a button.
"Flyin' in just a sweet place,
Never been known to fail..."
Now this furore is a little silly.
Hey! Word to the wise: about:config I doubt the feature is actually removed...
I assume that this is a UI change and that Mozilla is removing a button, that caused a greater cost to support, than justify with benefit.
Really, the advanced web user, who is judicious about enabling script, can opt for a plugin, if they want a button.
Not according to my button plugin of choice's author. He indicates it is a change in the API that will make his plugin inoperable.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
I've got no problem with your browser choice -- if you want to use Mozilla over Chrome, or IE over Firefox, hey, that's your call. But don't misrepresent the situation.
Google and Yahoo both pushed back hard against the NSA's programs. Yahoo went to court over it. You know what the court said? "Obey."
So what could Google do? You can't run an advertising business without having some information on your users. You can't run an email service without having access to the accounts. Yes, I suppose Google could have theoretically attempted to create a business in which everyone it served were direct customers of encryption services it provided (while explicitly saying that it couldn't decrypt traffic). Maybe that works for a startup, but you can't exactly transition a multi-billion dollar corporation to a direct customer model to avoid the NSA -- especially when you are legally prohibited from acknowledging that the NSA even spoke to you.
More than one of the companies that participate in Prism were forced to do so.
ActiveX was actually smart in the way that it executed fast native code instead of slow interpreted Javascript.
Yeah, smart like in the way it is smart to give a gun to the guy mugging you with a his bare hands.
When information is power, privacy is freedom.
Disrespecting the end user is one of the stages of software development team meltdown.
Not to mention it has the nice side effect of saving CPU cycles and preventing web pages from going unresponsive. I tend to enable JavaScript (since disabling it breaks too many sites) but I don't allow it to do anything outside of the web page with the browser itself (manipulate windows or context menus). Of course, none of this really matters, because I've been running NoScript for a few years now and the only sites that are ever allowed to run scripts are the ones I specifically allow to do so.
Do you realize just how much of a pain in the ass Firefox has become over the years due to Mozilla's insistence of removing and changing features along with the ability to change them back with the GUI? Instead we have to deal more and more (and more...) with a cryptic Mozilla equivalent to the Windows or GNOME registry. I bet you love the registry if you have no problem with about:config being even more heavily used. It was fine when it was reserved primarily for "special" options... but more and more, it's becoming like GNOME where it has to be used for damn near every fucking thing. All because Mozilla, for whatever reason, feels to go down the Google/GNOME path of dumbing their browser down to hell and back.
IE had ActiveX and such. It was stupid. It was a security issue. It was almost impossible to avoid.
Mozilla Gecko (the framework Firefox is built on) makes extensive use of XPCOM, which is functionally equivalent of ActiveX in every way, except that it works outside of Windows.
Some Firefox plugins are ... XPCOM objects.
XPCOM has been at the core of the Firefox design as long as I've seen the source (I was embedding gecko into apps in my former life, at least 7 years).
You have absolutely no idea what so ever what ActiveX is, nor do you have any idea what the actual problem with IE was that resulted in so many ActiveX related exploits.
ActiveX is a self describing plugin system which allows an application to load and potentially use a plugin without any prior knowledge, EXACTLY like XPCOM in Firefox. Again, they are 100% functionally the same.
Internet Explorer had retarded defaults (allow any unsigned activex to install without asking) to begin with, then those were 'fixed', and then the install without prompting exploits started, so malicious sites would install activex controls without your consent ... and then ... we also have to deal with all activex controls which were installed with improper ActiveX safety flags.
The safety flags were 2 flags set aside to allow an ActiveX control to say 'hey, I'm safe to use in Internet Explorer' and 'I'm safe to allow any random website to use me in IE!'. The morons in the Excel team (as one example) would, out of ignorance, flag all of their controls for Excel as safe for IE/safe for scripting ... so IE thought it was perfectly acceptable to load a control that will read and write random files on the drive. Every time a Windows Update patch for 'ActiveX killbits' comes out ... this is what they are talking about, changing the OS to ignore controls flagged as safe when they are known not to be.
Mozilla has no such support for flagging controls as safe for browser/safe for scripting. It tries to pretend it is an uncrossable barrier, but that is in fact no way the case.
So any time an 'ActiveX' issue comes up, you should be aware that it wasn't an ActiveX problem, it was an Internet Explorer implementation of ActiveX, and other developers bad code that was exploitable.
You really can't 'exploit' ActiveX any more than you can 'exploit' DLL or SO. You can exploit bad implementations of the loader.
Imagine if Firefox allowed web page scripting to automatically install Firefox plugins. Would you blame XPCOM then? Thats what you do when you blame ActiveX.
Finally, it makes you look fucking stupid when you blame ActiveX. All you do is make it clear that you don't actually know what the problem was, let alone understand what it was. You just sound like an ignorant drama queen.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
freely???
the NSA more or less demanded google hand it over. Google has done more than most companies to fight NSA seizure of their data.
more than microsoft, who after aquiring skype centralized the protocol, and put a back door in it.
Flashblock (and to a lesser degree, AdBlockPlus) is excellent for reducing CPU usage.
"I don't know, therefore Aliens" Wafflebox1
Not to nitpick either, but they're both.
When people can track what you are doing while sitting in front of the computer, it's a VERY BIG security issue.
Yes, JS is scary, but that bit of marketingspeak is a bit over the top: they can't see *every* click/keystroke/etc; just the ones that involve interacting with their site content. And, if you have to worry about them watching you use their site, you hopefully will leave before giving them any important information anyway.
crap....so noscript also?
I uninstalled NoScript years ago because of weird failures even with whitelisting. Essentially, I had to whitelist so much that NoScript became pointless.
"I don't know, therefore Aliens" Wafflebox1
There is ZERO chance I'm going to use a browser which doesn't allow me to default JS to being disabled. NoScript is also FAR advanced beyond other similar tools, so it would REALLY SUCK to have to use Chromium's lame equivalent, but I will if it is the only choice. At least in other respects Chromium is pretty good.
In what ways is NoScript more advanced than ScriptSafe?
Besides some "minor" features first introduced by NoScript, which advanced the state of the art of browser security (such as the most effective in-browser XSS filter, the ClearClick anti-Clickjacking technology and the Application Boundaries Enforcer module), NoScript holds a modest advantage over all its Chrome-based "clones": basic script blocking which actually works ;)
There's a browser safer than Firefox, it is Firefox, with NoScript
Are there still security issues with having JS enabled?
Fresh from the summary of the upcoming BlackHat talk by Jeremiah Grossman, A Million Browser Botnet:
With a few lines of HTML5 and javascript code we’ll demonstrate just how you can easily commandeer browsers to perform DDoS attacks, participate in email spam campaigns, crack hashes and even help brute-force passwords. [...] no zero-days or malware is required. Oh, and there is no patch. The Web is supposed to work this way.
There's a browser safer than Firefox, it is Firefox, with NoScript
No. This is completely unacceptable. FireFox is my browser of choice, and I don't block JS, but there's no reason whatever I should have to go to a third party if I decide to.
What's next, I'll have to DL the HTML and strip the JS out of the source and run it locally?
Unless Mozilla changes these terrible plans, I'll have to use a different browser. There's no reason whatever to remove this feature.
My answer isn't no, it's HELL NO and fuck you, Mozilla. If you want me to continue using your products you'll grow a brain and think of your users, not your Google sugardaddy.
Free Martian Whores!
I get used to temporarily whitelisting things. It's really interesting to see just how much of the web is utterly dependent upon javascript for things that could be done without it. If you enable it all though, you're back to ubiquitous advertisements, tracking and privacy issues, and noticeable drops in performance. I don't need to see every site on the web anyway, so if I have to go and enable things to get it to work then half the item I'll just leave the site and never return; there has to be enough html there to give me the idea that enabling javascript is worth it. It's like TV, just because it's available doesn't mean you have to watch it.
Seriously, for me: No NoScript = No Firefox.
I'll fuck off and use a different browser.
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
The fork already happened, ages ago. Seamonkey is the Mozilla fork that happened when the Firefox devs decided to go crazy and start stripping out useful stuff. Download Seamonkey and use it. It's very up to date because it's based on the same code from Mozilla as Firefox. Also, it has the Composer and Email and other integrated stuff intact.
And NoScript runs on it.
Ever have a rogue script on some shitty web site take up 100% of one of your cores, with no easy way to figure out what page it is because you've got several tabs open? Hell, good luck finding out if that bad script is even running directly on one of those pages--chances are it's not, it's some third-party completely unneeded junk running on another domain entirely. NoScript has pretty much eliminated this problem.
I have a dual-core 2 GHz processor and, trust me, when you've effectively got only one useful core because the other one is overloaded... you know it. Never mind the fact that it's not good for the hardware to be running a core at full power/heat all the time, not finding out until it's been burning power for an hour, two, three, or who knows how long. Should I really have to worry about some script running without my knowledge when I go to sleep just because I happened to leave Firefox running with a few dozen tabs open?
And why the hell would I get a second computer if I can solve the problems on the one I have?