"That requires you to actively turn JavaScript back off."
why are you saying "back" off? NoScript blocks everything by default and then
you simply allow SPECIFIC individual things ONLY that you want to allow as you
go.
"1. Turn on JavaScript and reload the page"
"2. Do all your work on that page without loading any new pages"
"3. Turn off JavaScript"
Gosh I have a headache, I'm sorry but have you ever even used NoScript?
I'll just copypast what I said before for simplicity.
NoScript blocks everything by default and then you simply allow SPECIFIC
individual things ONLY that you want to allow as you go.
I never have to turn on all javascript, reload, do work, turn it off, reload,
and go crazy. NoScript blocks everything, and I simply allow only what I need.
"I don't know what you're talking about. Allowing all JavaScript is the
*default* setting on most browsers. I'm proposing making *no* JavaScript
execution the default, and only executing all JavaScript on *particular
pages* when the user requests it."
there are several addons that do this already by blocking javascript and other
things by default and allowing you to turn them on ONLY when you need them.
"Allowing all JavaScript is the
*default* setting on most browsers."
exactly why people use NoScript. I'm totally serious, look it up just to see
its definition. you might be surprised.
"NoScript is too complicated for non-technical users, and it isn't
sufficient anyway."
I have seen people who don't know how to pour a bowl of cereal without the
cereal pouring out all over the place and making a huge mess, successfully use
NoScript easily.
"It only allows you to control what base URLs scripts
can be loaded from. That doesn't work; just about every site that uses
JavaScript loads at least some of it from an external site, like
ajax.googleapis.com or whatever CDN the site uses."
I have heard that alot of people use NoScript AND RequestPolicy at the same
time solving most if not all of those issues. that might be a bit too difficult
for you if you don't like NoScript though to be honest. I have seen people
catch on to NoScript fairly quick, so practice makes perfect.
"What I am proposing is a *simple* mechanism to temporarily allow script
execution on designated websites *each time* at the push of a button"
"This accomplishes two things:"
"1. It protects these non-technical users from JavaScript-related attacks
somewhat."
"2. It encourages these users to complain to sites that don't work
without JavaScript."
Yea but what does this do that NoScript doesn't already do?
NoScript blocks everything by default without having to push a button, until
you want to unblock SOME specific piece of the javascript on the page. not,
*push a button* *all java suddenly allowed*
often I have seen a person allow one piece of javascript on the page and the
whole page suddenly works because that was the only piece needed. 99% of the
other garbage wasn't even necessary so it stayed blocked. NoScript does a great
job of disallowing everything until the user specifically allows specific
things.
"The whole point of this is to encourage people who create websites to
make these websites work without JavaScript, rather than just showing a
blank page."
I don't like javascript as much as the next person and I would LOVE for more
people to make simpler (complicated is absolutely not always better) javascript
free websites, but I think a giant generalized easy for newbies (no offense to
newbies) allow all disallow all button is going to cause everyone else who
understands how request policy and noscript work huge GIANT headaches.
what you are suggesting is basically a more permanent version of the
"temporarily allow all" button in NoScript which is pretty dangerous especially
when you're considering that this button will be used by "general non-technical
users" or tech newbies if you will, because all they will do is be given a
false sense of security by the "magic button of safety" and push it over and
over again until it gives them what they want, (letting their favorite page
load) something akin to an adult having a very quiet temper tantrum until they
get what they want.
general non-technical users or tech newbies sadly dont understand why icecat or
gnu or free open source software (foss) or the free software foundation, or any
of us for that matter, - do what we do.
they just don't get it, they are all busy using google to find something to
twitter onto their facebook page while posting to the whole world that they ate
cereal at exactly 10 in the morning so that the NSA can scribble down in their
slave profile notebook "hmmm eats-cer-e-a-l-at-ten-in-th-e-mor-ning-"
adding a feature that gives the blissfully ignorant normal people (again no
offense, just saying it like it is) a false sense of security as an excuse to
use icecat isn't going to make them safer and is going to give everyone who
makes icecat "Go" more work to do.
I rather spend the effort educating newbies and normal people into people who
are no longer generalized non-techies, and instead are tech aware and willing
to do things the right way.
give someone a fish and they will beg you for more and maybe starve the next
week. teach someone to fish and they will eat forever.
22. Jan 2017 09:42 by [email protected]:
> On 01/22/2017 09:18 AM, > [email protected]> wrote:
>> forgive me, but in all seriousness, NoScript literally does exactly that
>> if not perhaps even better. that's the "temporarily allow scripts"
>> button in NoScript.
>
> That requires you to actively turn JavaScript back off. I'm proposing
> that the browser should take care of that for you. So rather than having to:
>
> 1. Turn on JavaScript and reload the page
> 2. Do all your work on that page without loading any new pages
> 3. Turn off JavaScript
>
> You just do the first step and the browser takes care of everything else.
>
>> also it's a security risk to temporarily allow ALL javascript and
>> quickly disable it again because that would take away the users ability
>> to control what happens in that short instant. why in the name of god
>> almighty anyone would ever want to create a hole like that is beyond me.
>
> I don't know what you're talking about. Allowing all JavaScript is the
> *default* setting on most browsers. I'm proposing making *no* JavaScript
> execution the default, and only executing all JavaScript on *particular
> pages* when the user requests it.
>
> It has to be all JavaScript requested by the page for it to be
> user-friendly. Just accepting a few of them almost always breaks the
> page more than completely disabling JS would.
>
>> unbeatable rules: everything disallowed by default, only enable
>> specifically what you want to allow, ONLY WHEN you want to allow it. and
>> that's how NoScript does it.
>
> NoScript is too complicated for non-technical users, and it isn't
> sufficient anyway. It only allows you to control what base URLs scripts
> can be loaded from. That doesn't work; just about every site that uses
> JavaScript loads at least some of it from an external site, like
> ajax.googleapis.com or whatever CDN the site uses.
>
> What I am proposing is a *simple* mechanism to temporarily allow script
> execution on designated websites *each time* at the push of a button,
> not for technical users, but for general, non-technical users. The user
> can simply be told, "some websites require you to push this button, but
> only push this button if you absolutely must, because it can be a
> security risk". This accomplishes two things:
>
> 1. It protects these non-technical users from JavaScript-related attacks
> somewhat.
>
> 2. It encourages these users to complain to sites that don't work
> without JavaScript.
>
> The whole point of this is to encourage people who create websites to
> make these websites work without JavaScript, rather than just showing a
> blank page. In other words: kill JavaScript. It's a bit of a longshot,
> but it would be much easier to do this than to make a browser that
> actually makes it possible for users to control JavaScript execution
> properly.
>
> --
> Julie Marchant
> https://onpon4.github.io
>
> Protect your emails with GnuPG:
> https://emailselfdefense.fsf.org
--
http://gnuzilla.gnu.org
