Hey guys, I have been seeing a lot of people talking good things about noscript, I have a few questions about it:
- Why isn’t it open source? Is there a open source alternative? To me this kinda feels suspicious, installing an extension that can affect all tabs from outside the Mozzila store, while not even open source…
- How to minimize damage? After briefly trying it on, I couldn’t interact with lemmy anymore, many websites lost their dark mode, youtube wasn’t pausing the video, nor was the like button working…
- Is it really needed? What kind of threat model makes something like that needed? Wouldn’t it be possible to just add other sources for uBlock to block tracking scripts or something?
A lot of user fingerprinting techniques rely on JS. Plus, by shutting off JS, you reduce the attack surface of your browser. If, let’s say, there was a zero-day vulnerability in Firefox that required JS to exploit, you’d be shutting off that whole means of attack if you blocked all/most JS out there on the internet. Mining cryptocurrencies on your computer via your browser can only be accomplished with the help of Javascript. A lot of forever cookie techniques require Javascript.
uBlock origin is for kindof a different use case. It’s for if you’re on one website that you don’t necessarily suspect of evil dealings that might include buttons (like social media sharing buttons, for instance) or other scripts (like ad displaying scripts or analytics scripts) from third parties that might include evil tracking stuff. If I started a blog on https://theawesomeestblog.com/ and included script from Facebook that puts a share button on my page, and if you then visited my blog, Facebook would know because your browser would make requests from your IP with cookies they’d placed on your brower previously and JS included with the button could very well be used to do additional fingerprinting.
NoScript is for (among other things) when you don’t even necessarily trust the website you’re purposefully visiting. Like, I don’t know if cnn.com mines Bitcoin via JS on users’ browsers (and, honestly, it seems a little unlikely to me, I think), but if I disallow JS on cnn.com, then when I click a link in Lemmy to a cnn.com article (and maybe I don’t even really know I’m going to cnn.com when I click the link – it might use a link shortener or something – or maybe it’s not cnn.com, but some reasonably-trustworthy-sounding news-y-sounding domain that I haven’t heard of before), I know it’s not mining Bitcoin on my machine.
Oh, and as others have said, NoScript is Open Source. Says so right near the top of the home page.