On 01/22/2017 09:18 AM, [email protected] wrote: > forgive me, but in all seriousness, NoScript literally does exactly that > if not perhaps even better. that's the "temporarily allow scripts" > button in NoScript.
That requires you to actively turn JavaScript back off. I'm proposing that the browser should take care of that for you. So rather than having to: 1. Turn on JavaScript and reload the page 2. Do all your work on that page without loading any new pages 3. Turn off JavaScript You just do the first step and the browser takes care of everything else. > also it's a security risk to temporarily allow ALL javascript and > quickly disable it again because that would take away the users ability > to control what happens in that short instant. why in the name of god > almighty anyone would ever want to create a hole like that is beyond me. I don't know what you're talking about. Allowing all JavaScript is the *default* setting on most browsers. I'm proposing making *no* JavaScript execution the default, and only executing all JavaScript on *particular pages* when the user requests it. It has to be all JavaScript requested by the page for it to be user-friendly. Just accepting a few of them almost always breaks the page more than completely disabling JS would. > unbeatable rules: everything disallowed by default, only enable > specifically what you want to allow, ONLY WHEN you want to allow it. and > that's how NoScript does it. NoScript is too complicated for non-technical users, and it isn't sufficient anyway. It only allows you to control what base URLs scripts can be loaded from. That doesn't work; just about every site that uses JavaScript loads at least some of it from an external site, like ajax.googleapis.com or whatever CDN the site uses. What I am proposing is a *simple* mechanism to temporarily allow script execution on designated websites *each time* at the push of a button, not for technical users, but for general, non-technical users. The user can simply be told, "some websites require you to push this button, but only push this button if you absolutely must, because it can be a security risk". This accomplishes two things: 1. It protects these non-technical users from JavaScript-related attacks somewhat. 2. It encourages these users to complain to sites that don't work without JavaScript. The whole point of this is to encourage people who create websites to make these websites work without JavaScript, rather than just showing a blank page. In other words: kill JavaScript. It's a bit of a longshot, but it would be much easier to do this than to make a browser that actually makes it possible for users to control JavaScript execution properly. -- Julie Marchant https://onpon4.github.io Protect your emails with GnuPG: https://emailselfdefense.fsf.org
signature.asc
Description: OpenPGP digital signature
-- http://gnuzilla.gnu.org
